CVE-2024-40914

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40914
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40914.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40914
Downstream
Related
Published
2024-07-12T12:24:58.055Z
Modified
2025-11-28T02:34:50.213205Z
Summary
mm/huge_memory: don't unpoison huge_zero_folio
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugememory: don't unpoison hugezero_folio

When I did memory failure tests recently, below panic occurs:

kernel BUG at include/linux/mm.h:1135! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14 RIP: 0010:shrinkhugezeropagescan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 Call Trace: <TASK> doshrinkslab+0x14f/0x6a0 shrinkslab+0xca/0x8c0 shrinknode+0x2d0/0x7d0 balancepgdat+0x33a/0x720 kswapd+0x1f3/0x410 kthread+0xd5/0x100 retfromfork+0x2f/0x50 retfromforkasm+0x1a/0x30 </TASK> Modules linked in: mceinject hwpoisoninject ---[ end trace 0000000000000000 ]--- RIP: 0010:shrinkhugezeropagescan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0

The root cause is that HWPoison flag will be set for hugezerofolio without increasing the folio refcnt. But then unpoisonmemory() will decrease the folio refcnt unexpectedly as it appears like a successfully hwpoisoned folio leading to VMBUGONPAGE(pagerefcount(page) == 0) when releasing hugezerofolio.

Skip unpoisoning hugezerofolio in unpoisonmemory() to fix this issue. We're not prepared to unpoison hugezero_folio yet.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40914.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f8f836100fff594cea8a0a027affb9d5520f09a7
Fixed
688bb46ad339497b5b7f527b6636d2afe04b46af
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
478d134e9506c7e9bfe2830ed03dd85e97966313
Fixed
b2494506f30675245a3e6787281f79601af087bf
Fixed
0d73477af964dbd7396163a13817baf13940bca9
Fixed
d72b7711919de49d92a67dfc844a6cf4c23dd794
Fixed
fe6f86f4b40855a130a19aa589f9ba7f650423f4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
13d9b8cd12f37d133b07ea5b323583e8a0c6b738

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.162
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.95
Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.6.35
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.9.6