fkie_cve-2024-53079
Vulnerability from fkie_nvd
Published
2024-11-19 18:15
Modified
2024-11-27 16:59
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/afb1352d06b1b6b2cfd1f901c766a430c87078b3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8f931bba0f92052cf842b7e30917b1afcc77d5aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fc4951c3e3358dd82ea508e893695b916c813f17Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC648588-B095-401F-A0F4-2837283639E9",
              "versionEndExcluding": "6.6.62",
              "versionStartIncluding": "5.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BD000F7-3DAD-4DD3-8906-98EA1EC67E95",
              "versionEndExcluding": "6.11.8",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "24B88717-53F5-42AA-9B72-14C707639E3F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/thp: fix deferred split unqueue naming and locking\n\nRecent changes are putting more pressure on THP deferred split queues:\nunder load revealing long-standing races, causing list_del corruptions,\n\"Bad page state\"s and worse (I keep BUGs in both of those, so usually\ndon\u0027t get to see how badly they end up without).  The relevant recent\nchanges being 6.8\u0027s mTHP, 6.10\u0027s mTHP swapout, and 6.12\u0027s mTHP swapin,\nimproved swap allocation, and underused THP splitting.\n\nBefore fixing locking: rename misleading folio_undo_large_rmappable(),\nwhich does not undo large_rmappable, to folio_unqueue_deferred_split(),\nwhich is what it does.  But that and its out-of-line __callee are mm\ninternals of very limited usability: add comment and WARN_ON_ONCEs to\ncheck usage; and return a bool to say if a deferred split was unqueued,\nwhich can then be used in WARN_ON_ONCEs around safety checks (sparing\ncallers the arcane conditionals in __folio_unqueue_deferred_split()).\n\nJust omit the folio_unqueue_deferred_split() from free_unref_folios(), all\nof whose callers now call it beforehand (and if any forget then bad_page()\nwill tell) - except for its caller put_pages_list(), which itself no\nlonger has any callers (and will be deleted separately).\n\nSwapout: mem_cgroup_swapout() has been resetting folio-\u003ememcg_data 0\nwithout checking and unqueueing a THP folio from deferred split list;\nwhich is unfortunate, since the split_queue_lock depends on the memcg\n(when memcg is enabled); so swapout has been unqueueing such THPs later,\nwhen freeing the folio, using the pgdat\u0027s lock instead: potentially\ncorrupting the memcg\u0027s list.  __remove_mapping() has frozen refcount to 0\nhere, so no problem with calling folio_unqueue_deferred_split() before\nresetting memcg_data.\n\nThat goes back to 5.4 commit 87eaceb3faa5 (\"mm: thp: make deferred split\nshrinker memcg aware\"): which included a check on swapcache before adding\nto deferred queue, but no check on deferred queue before adding THP to\nswapcache.  That worked fine with the usual sequence of events in reclaim\n(though there were a couple of rare ways in which a THP on deferred queue\ncould have been swapped out), but 6.12 commit dafff3f4c850 (\"mm: split\nunderused THPs\") avoids splitting underused THPs in reclaim, which makes\nswapcache THPs on deferred queue commonplace.\n\nKeep the check on swapcache before adding to deferred queue?  Yes: it is\nno longer essential, but preserves the existing behaviour, and is likely\nto be a worthwhile optimization (vmstat showed much more traffic on the\nqueue under swapping load if the check was removed); update its comment.\n\nMemcg-v1 move (deprecated): mem_cgroup_move_account() has been changing\nfolio-\u003ememcg_data without checking and unqueueing a THP folio from the\ndeferred list, sometimes corrupting \"from\" memcg\u0027s list, like swapout. \nRefcount is non-zero here, so folio_unqueue_deferred_split() can only be\nused in a WARN_ON_ONCE to validate the fix, which must be done earlier:\nmem_cgroup_move_charge_pte_range() first try to split the THP (splitting\nof course unqueues), or skip it if that fails.  Not ideal, but moving\ncharge has been requested, and khugepaged should repair the THP later:\nnobody wants new custom unqueueing code just for this deprecated case.\n\nThe 87eaceb3faa5 commit did have the code to move from one deferred list\nto another (but was not conscious of its unsafety while refcount non-0);\nbut that was removed by 5.6 commit fac0516b5534 (\"mm: thp: don\u0027t need care\ndeferred split queue in memcg charge move path\"), which argued that the\nexistence of a PMD mapping guarantees that the THP cannot be on a deferred\nlist.  As above, false in rare cases, and now commonly false.\n\nBackport to 6.11 should be straightforward.  Earlier backports must take\ncare that other _deferred_list fixes and dependencies are included.  There\nis not a strong case for backports, but they can fix cornercases."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/thp: arregla el bloqueo y el nombre de la cola de separaci\u00f3n diferida Los cambios recientes est\u00e1n poniendo m\u00e1s presi\u00f3n en las colas de separaci\u00f3n diferida de THP: bajo carga revelando ejecuci\u00f3ns de larga data, causando corrupciones de list_del, \"Bad page state\" y peores (mantengo ERRORES en ambos, por lo que generalmente no llego a ver qu\u00e9 tan mal terminan sin ellos). Los cambios recientes relevantes son mTHP de 6.8, mTHP swapout de 6.10 y mTHP swapin de 6.12, asignaci\u00f3n de intercambio mejorada y divisi\u00f3n de THP infrautilizada. Antes de arreglar el bloqueo: cambia el nombre de folio_undo_large_rmappable() enga\u00f1oso, que no deshace large_rmappable, a folio_unqueue_deferred_split(), que es lo que hace. Pero eso y su __callee fuera de l\u00ednea son internos mm de usabilidad muy limitada: agrega comentario y WARN_ON_ONCEs para verificar el uso; y devuelve un bool para decir si una divisi\u00f3n diferida fue sacada de la cola, que luego se puede usar en WARN_ON_ONCEs alrededor de las verificaciones de seguridad (ahorrando a los llamadores las condicionales arcanas en __folio_unqueue_deferred_split()). Simplemente omite folio_unqueue_deferred_split() de free_unref_folios(), todos cuyos llamadores ahora lo llaman de antemano (y si alguno se olvida, bad_page() lo dir\u00e1) - excepto su llamador put_pages_list(), que en s\u00ed mismo ya no tiene ning\u00fan llamador (y se eliminar\u00e1 por separado). Swapout: mem_cgroup_swapout() ha estado restableciendo folio-\u0026gt;memcg_data 0 sin verificar y sacar de la cola un folio THP de la lista de divisiones diferidas; lo cual es desafortunado, ya que split_queue_lock depende de memcg (cuando memcg est\u00e1 habilitado); por lo que swapout ha estado sacando de la cola dichos THP m\u00e1s tarde, al liberar el folio, usando el bloqueo de pgdat en su lugar: potencialmente corrompiendo la lista de memcg. __remove_mapping() ha congelado refcount a 0 aqu\u00ed, por lo que no hay problema con llamar a folio_unqueue_deferred_split() antes de restablecer memcg_data. Eso se remonta a el commit 5.4 87eaceb3faa5 (\"mm: thp: make deferred split reductioner memcg awareness\"): que inclu\u00eda una verificaci\u00f3n en swapcache antes de agregar a la cola diferida, pero ninguna verificaci\u00f3n en la cola diferida antes de agregar THP a swapcache. Eso funcion\u00f3 bien con la secuencia habitual de eventos en la recuperaci\u00f3n (aunque hubo un par de formas raras en las que un THP en la cola diferida podr\u00eda haber sido intercambiado), pero el commit 6.12 dafff3f4c850 (\"mm: dividir THP subutilizados\") evita dividir THP subutilizados en la recuperaci\u00f3n, lo que hace que los THP de swapcache en la cola diferida sean algo com\u00fan. \u00bfMantener la verificaci\u00f3n en swapcache antes de agregar a la cola diferida? S\u00ed: ya no es esencial, pero conserva el comportamiento existente y es probable que sea una optimizaci\u00f3n que valga la pena (vmstat mostr\u00f3 mucho m\u00e1s tr\u00e1fico en la cola bajo carga de intercambio si se elimin\u00f3 la verificaci\u00f3n); actualice su comentario. Movimiento de Memcg-v1 (obsoleto): mem_cgroup_move_account() ha estado cambiando folio-\u0026gt;memcg_data sin verificar y sacar de la cola un folio THP de la lista diferida, a veces corrompiendo \"de\" la lista de memcg, como swapout. Refcount no es cero aqu\u00ed, por lo que folio_unqueue_deferred_split() solo se puede usar en un WARN_ON_ONCE para validar la correcci\u00f3n, que debe hacerse antes: mem_cgroup_move_charge_pte_range() primero intenta dividir el THP (la divisi\u00f3n, por supuesto, desencola), o lo omite si eso falla. No es ideal, pero se ha solicitado mover el cargo, y khugepaged deber\u00eda reparar el THP m\u00e1s tarde: nadie quiere un nuevo c\u00f3digo de desencola personalizado solo para este caso obsoleto. el commit 87eaceb3faa5 ten\u00eda el c\u00f3digo para moverse de una lista diferida a otra (pero no era consciente de su inseguridad mientras refcount no sea 0); pero eso fue eliminado por el commit fac0516b5534 de la versi\u00f3n 5.6 ---- truncado -----"
    }
  ],
  "id": "CVE-2024-53079",
  "lastModified": "2024-11-27T16:59:20.303",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-19T18:15:27.340",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/afb1352d06b1b6b2cfd1f901c766a430c87078b3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f8f931bba0f92052cf842b7e30917b1afcc77d5a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fc4951c3e3358dd82ea508e893695b916c813f17"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.