CVE-2024-40915

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context<br /> <br /> __kernel_map_pages() is a debug function which clears the valid bit in page<br /> table entry for deallocated pages to detect illegal memory accesses to<br /> freed pages.<br /> <br /> This function set/clear the valid bit using __set_memory(). __set_memory()<br /> acquires init_mm&amp;#39;s semaphore, and this operation may sleep. This is<br /> problematic, because __kernel_map_pages() can be called in atomic context,<br /> and thus is illegal to sleep. An example warning that this causes:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd<br /> preempt_count: 2, expected: 0<br /> CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37<br /> Hardware name: riscv-virtio,qemu (DT)<br /> Call Trace:<br /> [] dump_backtrace+0x1c/0x24<br /> [] show_stack+0x2c/0x38<br /> [] dump_stack_lvl+0x5a/0x72<br /> [] dump_stack+0x14/0x1c<br /> [] __might_resched+0x104/0x10e<br /> [] __might_sleep+0x3e/0x62<br /> [] down_write+0x20/0x72<br /> [] __set_memory+0x82/0x2fa<br /> [] __kernel_map_pages+0x5a/0xd4<br /> [] __alloc_pages_bulk+0x3b2/0x43a<br /> [] __vmalloc_node_range+0x196/0x6ba<br /> [] copy_process+0x72c/0x17ec<br /> [] kernel_clone+0x60/0x2fe<br /> [] kernel_thread+0x82/0xa0<br /> [] kthreadd+0x14a/0x1be<br /> [] ret_from_fork+0xe/0x1c<br /> <br /> Rewrite this function with apply_to_existing_page_range(). It is fine to<br /> not have any locking, because __kernel_map_pages() works with pages being<br /> allocated/deallocated and those pages are not changed by anyone else in the<br /> meantime.