CVE-2024-56673

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: mm: Do not call pmd dtor on vmemmap page table teardown<br /> <br /> The vmemmap&amp;#39;s, which is used for RV64 with SPARSEMEM_VMEMMAP, page<br /> tables are populated using pmd (page middle directory) hugetables.<br /> However, the pmd allocation is not using the generic mechanism used by<br /> the VMA code (e.g. pmd_alloc()), or the RISC-V specific<br /> create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table<br /> code allocates a page, and calls vmemmap_set_pmd(). This results in<br /> that the pmd ctor is *not* called, nor would it make sense to do so.<br /> <br /> Now, when tearing down a vmemmap page table pmd, the cleanup code<br /> would unconditionally, and incorrectly call the pmd dtor, which<br /> results in a crash (best case).<br /> <br /> This issue was found when running the HMM selftests:<br /> <br /> | tools/testing/selftests/mm# ./test_hmm.sh smoke<br /> | ... # when unloading the test_hmm.ko module<br /> | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b<br /> | flags: 0x1000000000000000(node=0|zone=1)<br /> | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000<br /> | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000<br /> | page dumped because: VM_BUG_ON_PAGE(ptdesc-&gt;pmd_huge_pte)<br /> | ------------[ cut here ]------------<br /> | kernel BUG at include/linux/mm.h:3080!<br /> | Kernel BUG [#1]<br /> | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod<br /> | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2<br /> | Tainted: [W]=WARN<br /> | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024<br /> | epc : remove_pgd_mapping+0xbec/0x1070<br /> | ra : remove_pgd_mapping+0xbec/0x1070<br /> | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940<br /> | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04<br /> | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50<br /> | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008<br /> | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000<br /> | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8<br /> | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000<br /> | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000<br /> | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0<br /> | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00<br /> | t5 : ff60000080244000 t6 : ff20000000a73708<br /> | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003<br /> | [] remove_pgd_mapping+0xbec/0x1070<br /> | [] vmemmap_free+0x14/0x1e<br /> | [] section_deactivate+0x220/0x452<br /> | [] sparse_remove_section+0x4a/0x58<br /> | [] __remove_pages+0x7e/0xba<br /> | [] memunmap_pages+0x2bc/0x3fe<br /> | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]<br /> | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]<br /> | [] __riscv_sys_delete_module+0x15a/0x2a6<br /> | [] do_trap_ecall_u+0x1f2/0x266<br /> | [] _new_vmalloc_restore_context_a0+0xc6/0xd2<br /> | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597<br /> | ---[ end trace 0000000000000000 ]---<br /> | Kernel panic - not syncing: Fatal exception in interrupt<br /> <br /> Add a check to avoid calling the pmd dtor, if the calling context is<br /> vmemmap_free().