CVE-2024-35797

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: cachestat: fix two shmem bugs<br /> <br /> When cachestat on shmem races with swapping and invalidation, there<br /> are two possible bugs:<br /> <br /> 1) A swapin error can have resulted in a poisoned swap entry in the<br /> shmem inode&amp;#39;s xarray. Calling get_shadow_from_swap_cache() on it<br /> will result in an out-of-bounds access to swapper_spaces[].<br /> <br /> Validate the entry with non_swap_entry() before going further.<br /> <br /> 2) When we find a valid swap entry in the shmem&amp;#39;s inode, the shadow<br /> entry in the swapcache might not exist yet: swap IO is still in<br /> progress and we&amp;#39;re before __remove_mapping; swapin, invalidation,<br /> or swapoff have removed the shadow from swapcache after we saw the<br /> shmem swap entry.<br /> <br /> This will send a NULL to workingset_test_recent(). The latter<br /> purely operates on pointer bits, so it won&amp;#39;t crash - node 0, memcg<br /> ID 0, eviction timestamp 0, etc. are all valid inputs - but it&amp;#39;s a<br /> bogus test. In theory that could result in a false "recently<br /> evicted" count.<br /> <br /> Such a false positive wouldn&amp;#39;t be the end of the world. But for<br /> code clarity and (future) robustness, be explicit about this case.<br /> <br /> Bail on get_shadow_from_swap_cache() returning NULL.