CVE-2023-52739

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Fix page corruption caused by racy check in __free_pages<br /> <br /> When we upgraded our kernel, we started seeing some page corruption like<br /> the following consistently:<br /> <br /> BUG: Bad page state in process ganesha.nfsd pfn:1304ca<br /> page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca<br /> flags: 0x17ffffc0000000()<br /> raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000<br /> raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000<br /> page dumped because: nonzero mapcount<br /> CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1<br /> Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016<br /> Call Trace:<br /> dump_stack+0x74/0x96<br /> bad_page.cold+0x63/0x94<br /> check_new_page_bad+0x6d/0x80<br /> rmqueue+0x46e/0x970<br /> get_page_from_freelist+0xcb/0x3f0<br /> ? _cond_resched+0x19/0x40<br /> __alloc_pages_nodemask+0x164/0x300<br /> alloc_pages_current+0x87/0xf0<br /> skb_page_frag_refill+0x84/0x110<br /> ...<br /> <br /> Sometimes, it would also show up as corruption in the free list pointer<br /> and cause crashes.<br /> <br /> After bisecting the issue, we found the issue started from commit<br /> e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages"):<br /> <br /> if (put_page_testzero(page))<br /> free_the_page(page, order);<br /> else if (!PageHead(page))<br /> while (order-- &gt; 0)<br /> free_the_page(page + (1