{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: mm/huge_memory: don't unpoison huge_zero_folio", "id" : "2297498", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297498" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/huge_memory: don't unpoison huge_zero_folio\nWhen I did memory failure tests recently, below panic occurs:\nkernel BUG at include/linux/mm.h:1135!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\nRIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\nRSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\nRAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\nRBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\nR10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\nFS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\nCall Trace:\n\ndo_shrink_slab+0x14f/0x6a0\nshrink_slab+0xca/0x8c0\nshrink_node+0x2d0/0x7d0\nbalance_pgdat+0x33a/0x720\nkswapd+0x1f3/0x410\nkthread+0xd5/0x100\nret_from_fork+0x2f/0x50\nret_from_fork_asm+0x1a/0x30\n\nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\nRSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\nRAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\nRBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\nR10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\nFS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", "A vulnerability was found in the Linux kernel's memory management component in the unpoison_memory() function, where it involves improper handling of huge_zero_folio when memory failures occur, which can lead to a kernel panic due to an erroneous reference count." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6267", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.82.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6268", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.82.1.rt14.367.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40914\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40914\nhttps://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40914-0e04@gregkh/T" ], "name" : "CVE-2024-40914", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }