CVE-2024-42317

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: avoid PMD-size page cache if needed<br /> <br /> xarray can&amp;#39;t support arbitrary page cache size. the largest and supported<br /> page cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71<br /> ("mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray"). However,<br /> it&amp;#39;s possible to have 512MB page cache in the huge memory&amp;#39;s collapsing<br /> path on ARM64 system whose base page size is 64KB. 512MB page cache is<br /> breaking the limitation and a warning is raised when the xarray entry is<br /> split as shown in the following example.<br /> <br /> [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize<br /> KernelPageSize: 64 kB<br /> [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c<br /> :<br /> int main(int argc, char **argv)<br /> {<br /> const char *filename = TEST_XFS_FILENAME;<br /> int fd = 0;<br /> void *buf = (void *)-1, *p;<br /> int pgsize = getpagesize();<br /> int ret = 0;<br /> <br /> if (pgsize != 0x10000) {<br /> fprintf(stdout, "System with 64KB base page size is required!\n");<br /> return -EPERM;<br /> }<br /> <br /> system("echo 0 &gt; /sys/devices/virtual/bdi/253:0/read_ahead_kb");<br /> system("echo 1 &gt; /proc/sys/vm/drop_caches");<br /> <br /> /* Open the xfs file */<br /> fd = open(filename, O_RDONLY);<br /> assert(fd &gt; 0);<br /> <br /> /* Create VMA */<br /> buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);<br /> assert(buf != (void *)-1);<br /> fprintf(stdout, "mapped buffer at 0x%p\n", buf);<br /> <br /> /* Populate VMA */<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);<br /> assert(ret == 0);<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);<br /> assert(ret == 0);<br /> <br /> /* Collapse VMA */<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);<br /> assert(ret == 0);<br /> ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);<br /> if (ret) {<br /> fprintf(stdout, "Error %d to madvise(MADV_COLLAPSE)\n", errno);<br /> goto out;<br /> }<br /> <br /> /* Split xarray entry. Write permission is needed */<br /> munmap(buf, TEST_MEM_SIZE);<br /> buf = (void *)-1;<br /> close(fd);<br /> fd = open(filename, O_RDWR);<br /> assert(fd &gt; 0);<br /> fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,<br /> TEST_MEM_SIZE - pgsize, pgsize);<br /> out:<br /> if (buf != (void *)-1)<br /> munmap(buf, TEST_MEM_SIZE);<br /> if (fd &gt; 0)<br /> close(fd);<br /> <br /> return ret;<br /> }<br /> <br /> [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test<br /> [root@dhcp-10-26-1-207 ~]# /tmp/test<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128<br /> Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \<br /> nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \<br /> nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \<br /> ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \<br /> xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \<br /> sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio<br /> CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9<br /> Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024<br /> pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : xas_split_alloc+0xf8/0x128<br /> lr : split_huge_page_to_list_to_order+0x1c4/0x780<br /> sp : ffff8000ac32f660<br /> x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0<br /> x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d<br /> x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000<br /> x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000<br /> x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c<br /> x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8<br /> x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40<br /> x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000<br /> Call trace:<br /> xas_split_alloc+0xf8/0x128<br /> split_huge_page_to_list_to_order+0x1c4/0x780<br /> truncate_inode_partial_folio+0xdc/0x160<br /> truncate_inode_pages_range+0x1b4/0x4a8<br /> truncate_pagecache_range+0x84/0xa<br /> ---truncated---