{
  "threat_severity" : "Low",
  "public_date" : "2024-08-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray",
    "id" : "2303511",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2303511"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\nCurrently, xarray can't support arbitrary page cache size.  More details\ncan be found from the WARN_ON() statement in xas_split_alloc().  In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB.  The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed.  The code\nchanges are suggested by David Hildenbrand.\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <string.h>\n#include <fcntl.h>\n#include <errno.h>\n#include <sys/syscall.h>\n#include <sys/mman.h>\n#define TEST_XFS_FILENAME\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\"/dev/shm/data\"\n#define TEST_MEM_SIZE0x20000000\nint main(int argc, char **argv)\n{\nconst char *filename;\nint fd = 0;\nvoid *buf = (void *)-1, *p;\nint pgsize = getpagesize();\nint ret;\nif (pgsize != 0x10000) {\nfprintf(stderr, \"64KB base page size is required\\n\");\nreturn -EPERM;\n}\nsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\nsystem(\"rm -fr /tmp/data\");\nsystem(\"rm -fr /dev/shm/data\");\nsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n/* Open xfs or shmem file */\nfilename = TEST_XFS_FILENAME;\nif (argc > 1 && !strcmp(argv[1], \"shmem\"))\nfilename = TEST_SHMEM_FILENAME;\nfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\nif (fd < 0) {\nfprintf(stderr, \"Unable to open <%s>\\n\", filename);\nreturn -EIO;\n}\n/* Extend file size */\nret = ftruncate(fd, TEST_MEM_SIZE);\nif (ret) {\nfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\ngoto cleanup;\n}\n/* Create VMA */\nbuf = mmap(NULL, TEST_MEM_SIZE,\nPROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\nif (buf == (void *)-1) {\nfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\ngoto cleanup;\n}\nfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\nret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\nif (ret) {\nfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\ngoto cleanup;\n}\n/* Populate VMA */\nret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\nif (ret) {\nfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\ngoto cleanup;\n}\n/* Punch the file to enforce xarray split */\nret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\nTEST_MEM_SIZE - pgsize, pgsize);\nif (ret)\nfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\ncleanup:\nif (buf != (void *)-1)\nmunmap(buf, TEST_MEM_SIZE);\nif (fd > 0)\nclose(fd);\nreturn 0;\n}\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize:       64 kB\n# ./test shmem\n:\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib  \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct    \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4    \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon          \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64  \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-18T00:00:00Z",
    "advisory" : "RHSA-2024:6744",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.84.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-18T00:00:00Z",
    "advisory" : "RHSA-2024:6745",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.84.1.rt14.369.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2024-12-04T00:00:00Z",
    "advisory" : "RHSA-2024:10771",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.47.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-42243\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42243\nhttps://lore.kernel.org/linux-cve-announce/2024080741-CVE-2024-42243-2ed5@gregkh/T" ],
  "name" : "CVE-2024-42243",
  "csaw" : false
}