CVE-2024-40915 Information

Description

In the Linux kernel the following vulnerability has been resolved:

riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context

__kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages.

This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm’s semaphore and this operation may sleep. This is problematic because __kernel_map_pages() can be called in atomic context and thus is illegal to sleep. An example warning that this causes:

BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1 irqs_disabled(): 0 non_block: 0 pid: 2 name: kthreadd preempt_count: 2 expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 37 Hardware name: riscv-virtioqemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c

Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.

Reference

https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876 https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915 https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4