{ "threat_severity" : "Moderate", "public_date" : "2025-01-15T00:00:00Z", "bugzilla" : { "description" : "kernel: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()", "id" : "2338199", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2338199" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-835", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()\nThe task sometimes continues looping in throttle_direct_reclaim() because\nallow_direct_reclaim(pgdat) keeps returning false. \n#0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac\n#1 [ffff80002cb6f900] __schedule at ffff800008abbd1c\n#2 [ffff80002cb6f990] schedule at ffff800008abc50c\n#3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550\n#4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68\n#5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660\n#6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98\n#7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8\n#8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974\n#9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4\nAt this point, the pgdat contains the following two zones:\nNODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: \"DMA32\"\nSIZE: 20480 MIN/LOW/HIGH: 11/28/45\nVM_STAT:\nNR_FREE_PAGES: 359\nNR_ZONE_INACTIVE_ANON: 18813\nNR_ZONE_ACTIVE_ANON: 0\nNR_ZONE_INACTIVE_FILE: 50\nNR_ZONE_ACTIVE_FILE: 0\nNR_ZONE_UNEVICTABLE: 0\nNR_ZONE_WRITE_PENDING: 0\nNR_MLOCK: 0\nNR_BOUNCE: 0\nNR_ZSPAGES: 0\nNR_FREE_CMA_PAGES: 0\nNODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: \"Normal\"\nSIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264\nVM_STAT:\nNR_FREE_PAGES: 146\nNR_ZONE_INACTIVE_ANON: 94668\nNR_ZONE_ACTIVE_ANON: 3\nNR_ZONE_INACTIVE_FILE: 735\nNR_ZONE_ACTIVE_FILE: 78\nNR_ZONE_UNEVICTABLE: 0\nNR_ZONE_WRITE_PENDING: 0\nNR_MLOCK: 0\nNR_BOUNCE: 0\nNR_ZSPAGES: 0\nNR_FREE_CMA_PAGES: 0\nIn allow_direct_reclaim(), while processing ZONE_DMA32, the sum of\ninactive/active file-backed pages calculated in zone_reclaimable_pages()\nbased on the result of zone_page_state_snapshot() is zero. \nAdditionally, since this system lacks swap, the calculation of inactive/\nactive anonymous pages is skipped.\ncrash> p nr_swap_pages\nnr_swap_pages = $1937 = {\ncounter = 0\n}\nAs a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to\nthe processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having\nfree pages significantly exceeding the high watermark.\nThe problem is that the pgdat->kswapd_failures hasn't been incremented.\ncrash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures\n$1935 = 0x0\nThis is because the node deemed balanced. The node balancing logic in\nbalance_pgdat() evaluates all zones collectively. If one or more zones\n(e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the\nentire node is deemed balanced. This causes balance_pgdat() to exit early\nbefore incrementing the kswapd_failures, as it considers the overall\nmemory state acceptable, even though some zones (like ZONE_NORMAL) remain\nunder significant pressure.\nThe patch ensures that zone_reclaimable_pages() includes free pages\n(NR_FREE_PAGES) in its calculation when no other reclaimable pages are\navailable (e.g., file-backed or anonymous pages). This change prevents\nzones like ZONE_DMA32, which have sufficient free pages, from being\nmistakenly deemed unreclaimable. By doing so, the patch ensures proper\nnode balancing, avoids masking pressure on other zones like ZONE_NORMAL,\nand prevents infinite loops in throttle_direct_reclaim() caused by\nallow_direct_reclaim(pgdat) repeatedly returning false.\nThe kernel hangs due to a task stuck in throttle_direct_reclaim(), caused\nby a node being incorrectly deemed balanced despite pressure in certain\nzones, such as ZONE_NORMAL. This issue arises from\nzone_reclaimable_pages\n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-57884\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-57884\nhttps://lore.kernel.org/linux-cve-announce/2025011510-CVE-2024-57884-4cf8@gregkh/T" ], "name" : "CVE-2024-57884", "csaw" : false }