{
"threat_severity" : "Low",
"public_date" : "2024-06-25T00:00:00Z",
"bugzilla" : {
"description" : "kernel: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages",
"id" : "2294268",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2294268"
},
"cvss3" : {
"cvss3_base_score" : "5.5",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status" : "verified"
},
"cwe" : "CWE-362",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\nWhen I did memory failure tests recently, below panic occurs:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n\n__rmqueue_pcplist+0x23b/0x520\nget_page_from_freelist+0x26b/0xe40\n__alloc_pages_noprof+0x113/0x1120\n__folio_alloc_noprof+0x11/0xb0\nalloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n__alloc_fresh_hugetlb_folio+0xe7/0x140\nalloc_pool_huge_folio+0x68/0x100\nset_max_huge_pages+0x13d/0x340\nhugetlb_sysctl_handler_common+0xe8/0x110\nproc_sys_call_handler+0x194/0x280\nvfs_write+0x387/0x550\nksys_write+0x64/0xe0\ndo_syscall_64+0xc2/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n\nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\nAnd before the panic, there had an warning about bad page state:\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n\ndump_stack_lvl+0x83/0xa0\nbad_page+0x63/0xf0\nfree_unref_page+0x36e/0x5c0\nunpoison_memory+0x50b/0x630\nsimple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\ndebugfs_attr_write+0x42/0x60\nfull_proxy_write+0x5b/0x80\nvfs_write+0xcd/0x550\nksys_write+0x64/0xe0\ndo_syscall_64+0xc2/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n\nThe root cause should be the below race:\nmemory_failure\ntry_memory_failure_hugetlb\nme_huge_page\n__page_handle_poison\ndissolve_free_hugetlb_folio\ndrain_all_pages -- Buddy page can be isolated e.g. for compaction.\ntake_page_off_buddy -- Failed as page is not in the \n---truncated---" ],
"affected_release" : [ {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-11-12T00:00:00Z",
"advisory" : "RHSA-2024:9315",
"cpe" : "cpe:/a:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-503.11.1.el9_5"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-11-12T00:00:00Z",
"advisory" : "RHSA-2024:9315",
"cpe" : "cpe:/o:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-503.11.1.el9_5"
} ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Not affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-39298\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39298\nhttps://lore.kernel.org/linux-cve-announce/2024062549-CVE-2024-39298-53e8@gregkh/T" ],
"name" : "CVE-2024-39298",
"csaw" : false
}