CVE-2024-40914

Updated:

Description:

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: don't unpoison huge_zero_folio When I did memory failure tests recently, below panic occurs: kernel BUG at include/linux/mm.h:1135! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14 RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 Call Trace: <TASK> do_shrink_slab+0x14f/0x6a0 shrink_slab+0xca/0x8c0 shrink_node+0x2d0/0x7d0 balance_pgdat+0x33a/0x720 kswapd+0x1f3/0x410 kthread+0xd5/0x100 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 The root cause is that HWPoison flag will be set for huge_zero_folio without increasing the folio refcnt. But then unpoison_memory() will decrease the folio refcnt unexpectedly as it appears like a successfully hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when releasing huge_zero_folio. Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. We're not prepared to unpoison huge_zero_folio yet.

CVSS3: 5.5


Vendor State

OS Vendor version Errata
Ubuntu 22.04 5.15.0-121.131 USN-7007-1
Ubuntu 22.04 AWS 5.15.0-1069.75 USN-7007-1
Ubuntu 22.04 Azure 5.15.0-1072.81 USN-7009-1
RHEL 9 5.14.0-427.33.1.el9_4 RHSA-2024:5928
Oracle Linux 9 5.14.0-427.33.1.el9_4 ELSA-2024-5928
Ubuntu 20.04 HWE AWS 5.15.0-1069.75~20.04.1 USN-7007-1
Ubuntu 20.04 HWE Azure 5.15.0-1072.81~20.04.1 USN-7009-1
Rocky Linux 9 5.14.0-427.33.1.el9_4 RLSA-2024:5928
AlmaLinux 9 5.14.0-427.33.1.el9_4 ALSA-2024:5928
Oracle Linux 9 UEK 7 5.15.0-210.163.7.el9uek ELSA-2024-12618
Oracle Linux 8 UEK 7 5.15.0-210.163.7.el8uek ELSA-2024-12618
Debian 12 6.1.99-1 DSA-5731-1
Ubuntu 24.04 6.8.0-44.44 USN-6999-1

KernelCare State

OS Original kernel version State
Ubuntu 22.04
In Progress
Ubuntu 22.04 AWS
In Progress
Ubuntu 22.04 Azure
Planned
RHEL 9
5.14.0-70.17.1.el9_0 show all hide all
5.14.0-70.22.1.el9_0 5.14.0-70.5.1.el9_0 5.14.0-70.13.1.el9_0 5.14.0-70.26.1.el9_0 5.14.0-70.30.1.el9_0 5.14.0-162.6.1.el9_1 5.14.0-162.12.1.el9_1 5.14.0-162.18.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-284.18.1.el9_2 5.14.0-284.25.1.el9_2 5.14.0-284.30.1.el9_2 5.14.0-362.8.1.el9_3 5.14.0-362.13.1.el9_3 5.14.0-362.18.1.el9_3 5.14.0-362.24.1.el9_3 5.14.0-427.13.1.el9_4 5.14.0-427.16.1.el9_4 5.14.0-427.18.1.el9_4 5.14.0-427.20.1.el9_4 5.14.0-427.22.1.el9_4 5.14.0-427.24.1.el9_4 5.14.0-427.26.1.el9_4 5.14.0-427.28.1.el9_4 5.14.0-427.31.1.el9_4
Released
Oracle Linux 9
5.14.0-70.13.1.0.3.el9_0 show all hide all
5.14.0-70.17.1.0.1.el9_0 5.14.0-70.22.1.0.1.el9_0 5.14.0-70.26.1.0.1.el9_0 5.14.0-162.6.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-162.23.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.18.1.el9_1 5.14.0-162.12.1.el9_1 5.14.0-70.30.1.0.1.el9_0 5.14.0-284.18.1.el9_2 5.14.0-284.25.1.el9_2 5.14.0-284.25.1.0.1.el9_2 5.14.0-284.30.0.1.el9_2 5.14.0-284.30.1.el9_2 5.14.0-362.8.1.el9_3 5.14.0-362.13.0.1.el9_3 5.14.0-362.13.1.el9_3 5.14.0-362.18.0.1.el9_3 5.14.0-362.18.0.2.el9_3 5.14.0-362.18.1.el9_3 5.14.0-362.24.1.el9_3 5.14.0-362.24.1.0.1.el9_3 5.14.0-427.13.1.el9_4 5.14.0-427.16.1.el9_4 5.14.0-362.24.1.0.2.el9_3 5.14.0-427.18.1.el9_4 5.14.0-427.20.1.el9_4 5.14.0-427.22.1.el9_4 5.14.0-427.24.1.el9_4 5.14.0-427.26.1.el9_4 5.14.0-427.28.1.el9_4 5.14.0-427.31.1.el9_4
Released
Ubuntu 20.04 HWE AWS
In Progress
Ubuntu 20.04 HWE Azure
Planned
Rocky Linux 9
5.14.0-162.6.1.el9_1 show all hide all
5.14.0-70.26.1.el9_0 5.14.0-70.30.1.el9_0 5.14.0-70.22.1.el9_0 5.14.0-162.6.1.el9_1.0.1 5.14.0-162.18.1.el9_1 5.14.0-162.12.1.el9_1.0.1 5.14.0-162.12.1.el9_1.0.2 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-284.30.1.el9_2 5.14.0-362.8.1.el9_3 5.14.0-362.13.1.el9_3 5.14.0-362.18.1.el9_3 5.14.0-362.24.1.el9_3 5.14.0-362.18.1.el9_3.0.1 5.14.0-427.16.1.el9_4 5.14.0-362.24.1.el9_3.0.1 5.14.0-427.18.1.el9_4 5.14.0-427.20.1.el9_4 5.14.0-427.24.1.el9_4 5.14.0-427.26.1.el9_4 5.14.0-427.28.1.el9_4 5.14.0-427.20.1.el9_4.0.1 5.14.0-427.22.1.el9_4 5.14.0-427.31.1.el9_4
Released
AlmaLinux 9
5.14.0-162.6.1.el9_1 show all hide all
5.14.0-70.26.1.el9_0 5.14.0-70.30.1.el9_0 5.14.0-70.17.1.el9_0 5.14.0-70.22.1.el9_0 5.14.0-162.12.1.el9_1 5.14.0-162.18.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-284.18.1.el9_2 5.14.0-70.13.1.el9_0 5.14.0-284.25.1.el9_2 5.14.0-284.30.1.el9_2 5.14.0-362.8.1.el9_3 5.14.0-362.13.1.el9_3 5.14.0-362.18.1.el9_3 5.14.0-362.24.1.el9_3 5.14.0-427.13.1.el9_4 5.14.0-427.16.1.el9_4 5.14.0-362.24.2.el9_3 5.14.0-427.18.1.el9_4 5.14.0-427.20.1.el9_4 5.14.0-427.24.1.el9_4 5.14.0-427.26.1.el9_4 5.14.0-427.28.1.el9_4 5.14.0-427.22.1.el9_4 5.14.0-427.31.1.el9_4
Released
Oracle Linux 9 UEK 7
Planned
Oracle Linux 8 UEK 7
Planned
Debian 12
Planned
Ubuntu 24.04
Planned