CVE-2024-40915
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-40915
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40915.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-40915
- Downstream
- Published
- 2024-07-12T12:24:58Z
- Modified
- 2025-10-09T12:47:51.183430Z
- Summary
- riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
riscv: rewrite _kernelmap_pages() to fix sleeping in invalid context
_kernelmap_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages.
This function set/clear the valid bit using _setmemory(). _setmemory() acquires initmm's semaphore, and this operation may sleep. This is problematic, because _kernelmappages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 2, name: kthreadd preemptcount: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff800060dc>] dumpbacktrace+0x1c/0x24 [<ffffffff8091ef6e>] showstack+0x2c/0x38 [<ffffffff8092baf8>] dumpstacklvl+0x5a/0x72 [<ffffffff8092bb24>] dumpstack+0x14/0x1c [<ffffffff8003b7ac>] _mightresched+0x104/0x10e [<ffffffff8003b7f4>] _mightsleep+0x3e/0x62 [<ffffffff8093276a>] downwrite+0x20/0x72 [<ffffffff8000cf00>] _setmemory+0x82/0x2fa [<ffffffff8000d324>] _kernelmappages+0x5a/0xd4 [<ffffffff80196cca>] _allocpagesbulk+0x3b2/0x43a [<ffffffff8018ee82>] _vmallocnoderange+0x196/0x6ba [<ffffffff80011904>] copyprocess+0x72c/0x17ec [<ffffffff80012ab4>] kernelclone+0x60/0x2fe [<ffffffff80012f62>] kernelthread+0x82/0xa0 [<ffffffff8003552c>] kthreadd+0x14a/0x1be [<ffffffff809357de>] retfromfork+0xe/0x1c
Rewrite this function with applytoexistingpagerange(). It is fine to not have any locking, because _kernelmap_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb
- https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876
- https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915
- https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5fde3db5eb028b95aeefa1ab192d36800414e8b8Fixed919f8626099d9909b9a9620b05e8c8ab06581876
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5fde3db5eb028b95aeefa1ab192d36800414e8b8Fixed8661a7af04991201640863ad1a0983173f84b5eb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5fde3db5eb028b95aeefa1ab192d36800414e8b8Fixedd5257ceb19d92069195254866421f425aea42915
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5fde3db5eb028b95aeefa1ab192d36800414e8b8Fixedfb1cf0878328fe75d47f0aed0a65b30126fcefc4