CVE-2024-57883

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: hugetlb: independent PMD page table shared count<br /> <br /> The folio refcount may be increased unexpectly through try_get_folio() by<br /> caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount<br /> to check whether a pmd page table is shared. The check is incorrect if<br /> the refcount is increased by the above caller, and this can cause the page<br /> table leaked:<br /> <br /> BUG: Bad page state in process sh pfn:109324<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324<br /> flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)<br /> page_type: f2(table)<br /> raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000<br /> raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000<br /> page dumped because: nonzero mapcount<br /> ...<br /> CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7<br /> Tainted: [B]=BAD_PAGE<br /> Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015<br /> Call trace:<br /> show_stack+0x20/0x38 (C)<br /> dump_stack_lvl+0x80/0xf8<br /> dump_stack+0x18/0x28<br /> bad_page+0x8c/0x130<br /> free_page_is_bad_report+0xa4/0xb0<br /> free_unref_page+0x3cc/0x620<br /> __folio_put+0xf4/0x158<br /> split_huge_pages_all+0x1e0/0x3e8<br /> split_huge_pages_write+0x25c/0x2d8<br /> full_proxy_write+0x64/0xd8<br /> vfs_write+0xcc/0x280<br /> ksys_write+0x70/0x110<br /> __arm64_sys_write+0x24/0x38<br /> invoke_syscall+0x50/0x120<br /> el0_svc_common.constprop.0+0xc8/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x34/0x128<br /> el0t_64_sync_handler+0xc8/0xd0<br /> el0t_64_sync+0x190/0x198<br /> <br /> The issue may be triggered by damon, offline_page, page_idle, etc, which<br /> will increase the refcount of page table.<br /> <br /> 1. The page table itself will be discarded after reporting the<br /> "nonzero mapcount".<br /> <br /> 2. The HugeTLB page mapped by the page table miss freeing since we<br /> treat the page table as shared and a shared page table will not be<br /> unmapped.<br /> <br /> Fix it by introducing independent PMD page table shared count. As<br /> described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390<br /> gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv<br /> pmds, so we can reuse the field as pt_share_count.