CVE-2024-57884
Publication date:
15/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()<br />
<br />
The task sometimes continues looping in throttle_direct_reclaim() because<br />
allow_direct_reclaim(pgdat) keeps returning false. <br />
<br />
#0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac<br />
#1 [ffff80002cb6f900] __schedule at ffff800008abbd1c<br />
#2 [ffff80002cb6f990] schedule at ffff800008abc50c<br />
#3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550<br />
#4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68<br />
#5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660<br />
#6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98<br />
#7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8<br />
#8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974<br />
#9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4<br />
<br />
At this point, the pgdat contains the following two zones:<br />
<br />
NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32"<br />
SIZE: 20480 MIN/LOW/HIGH: 11/28/45<br />
VM_STAT:<br />
NR_FREE_PAGES: 359<br />
NR_ZONE_INACTIVE_ANON: 18813<br />
NR_ZONE_ACTIVE_ANON: 0<br />
NR_ZONE_INACTIVE_FILE: 50<br />
NR_ZONE_ACTIVE_FILE: 0<br />
NR_ZONE_UNEVICTABLE: 0<br />
NR_ZONE_WRITE_PENDING: 0<br />
NR_MLOCK: 0<br />
NR_BOUNCE: 0<br />
NR_ZSPAGES: 0<br />
NR_FREE_CMA_PAGES: 0<br />
<br />
NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal"<br />
SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264<br />
VM_STAT:<br />
NR_FREE_PAGES: 146<br />
NR_ZONE_INACTIVE_ANON: 94668<br />
NR_ZONE_ACTIVE_ANON: 3<br />
NR_ZONE_INACTIVE_FILE: 735<br />
NR_ZONE_ACTIVE_FILE: 78<br />
NR_ZONE_UNEVICTABLE: 0<br />
NR_ZONE_WRITE_PENDING: 0<br />
NR_MLOCK: 0<br />
NR_BOUNCE: 0<br />
NR_ZSPAGES: 0<br />
NR_FREE_CMA_PAGES: 0<br />
<br />
In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of<br />
inactive/active file-backed pages calculated in zone_reclaimable_pages()<br />
based on the result of zone_page_state_snapshot() is zero. <br />
<br />
Additionally, since this system lacks swap, the calculation of inactive/<br />
active anonymous pages is skipped.<br />
<br />
crash> p nr_swap_pages<br />
nr_swap_pages = $1937 = {<br />
counter = 0<br />
}<br />
<br />
As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to<br />
the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having<br />
free pages significantly exceeding the high watermark.<br />
<br />
The problem is that the pgdat->kswapd_failures hasn&#39;t been incremented.<br />
<br />
crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures<br />
$1935 = 0x0<br />
<br />
This is because the node deemed balanced. The node balancing logic in<br />
balance_pgdat() evaluates all zones collectively. If one or more zones<br />
(e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the<br />
entire node is deemed balanced. This causes balance_pgdat() to exit early<br />
before incrementing the kswapd_failures, as it considers the overall<br />
memory state acceptable, even though some zones (like ZONE_NORMAL) remain<br />
under significant pressure.<br />
<br />
<br />
The patch ensures that zone_reclaimable_pages() includes free pages<br />
(NR_FREE_PAGES) in its calculation when no other reclaimable pages are<br />
available (e.g., file-backed or anonymous pages). This change prevents<br />
zones like ZONE_DMA32, which have sufficient free pages, from being<br />
mistakenly deemed unreclaimable. By doing so, the patch ensures proper<br />
node balancing, avoids masking pressure on other zones like ZONE_NORMAL,<br />
and prevents infinite loops in throttle_direct_reclaim() caused by<br />
allow_direct_reclaim(pgdat) repeatedly returning false.<br />
<br />
<br />
The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused<br />
by a node being incorrectly deemed balanced despite pressure in certain<br />
zones, such as ZONE_NORMAL. This issue arises from<br />
zone_reclaimable_pages<br />
---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025