CVE-2024-40949

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40949.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40949
Downstream
Published
2024-07-12T12:31:54Z
Modified
2025-10-17T07:49:48.352268Z
Summary
mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: shmem: fix getting incorrect lruvec when replacing a shmem folio

When testing shmem swapin, I encountered the warning below on my machine. The reason is that replacing an old shmem folio with a new one causes memcgroupmigrate() to clear the old folio's memcg data. As a result, the old folio cannot get the correct memcg's lruvec needed to remove itself from the LRU list when it is being freed. This could lead to possible serious problems, such as LRU list crashes due to holding the wrong LRU lock, and incorrect LRU statistics.

To fix this issue, we can fallback to use the memcgroupreplace_folio() to replace the old shmem folio.

[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960 [ 5241.100317] head: order:4 mapcount:0 entiremapcount:0 nrpagesmapped:0 pincount:0 [ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff) [ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000 [ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100330] page dumped because: VMWARNONONCEFOLIO(!memcg && !memcgroupdisabled()) [ 5241.100338] ------------[ cut here ]------------ [ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 foliolruveclockirqsave+0x140/0x150 [...] [ 5241.100374] pc : foliolruveclockirqsave+0x140/0x150 [ 5241.100375] lr : foliolruveclockirqsave+0x138/0x150 [ 5241.100376] sp : ffff80008b38b930 [...] [ 5241.100398] Call trace: [ 5241.100399] foliolruveclockirqsave+0x140/0x150 [ 5241.100401] _pagecacherelease+0x90/0x300 [ 5241.100404] _folioput+0x50/0x108 [ 5241.100406] shmemreplacefolio+0x1b4/0x240 [ 5241.100409] shmemswapinfolio+0x314/0x528 [ 5241.100411] shmemgetfoliogfp+0x3b4/0x930 [ 5241.100412] shmemfault+0x74/0x160 [ 5241.100414] _dofault+0x40/0x218 [ 5241.100417] dosharedfault+0x34/0x1b0 [ 5241.100419] dofault+0x40/0x168 [ 5241.100420] handleptefault+0x80/0x228 [ 5241.100422] _handlemmfault+0x1c4/0x440 [ 5241.100424] handlemmfault+0x60/0x1f0 [ 5241.100426] dopagefault+0x120/0x488 [ 5241.100429] dotranslationfault+0x4c/0x68 [ 5241.100431] domemabort+0x48/0xa0 [ 5241.100434] el0da+0x38/0xc0 [ 5241.100436] el0t64synchandler+0x68/0xc0 [ 5241.100437] el0t64sync+0x14c/0x150 [ 5241.100439] ---[ end trace 0000000000000000 ]---

[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
85ce2c517ade0d51b7ad95f2e88be9bbe294379a
Fixed
8c6c3719ebb7913f8a665d11816d2e38b0eadbab
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
85ce2c517ade0d51b7ad95f2e88be9bbe294379a
Fixed
9094b4a1c76cfe84b906cc152bab34d4ba26fa5c

Affected versions

v6.*

v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.6
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2024-40949-87aaab4a",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9094b4a1c76cfe84b906cc152bab34d4ba26fa5c",
        "signature_version": "v1",
        "target": {
            "file": "mm/shmem.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "249166782778335019435745990618143023935",
                "8885100464711786498387210662089916616",
                "229507870597849782057502586241113327531",
                "193958315667464994938924123399107965561"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-40949-972388f0",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9094b4a1c76cfe84b906cc152bab34d4ba26fa5c",
        "signature_version": "v1",
        "target": {
            "function": "shmem_replace_folio",
            "file": "mm/shmem.c"
        },
        "digest": {
            "function_hash": "223997310535934612363855601227217867415",
            "length": 1116.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-40949-ab7a8123",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c6c3719ebb7913f8a665d11816d2e38b0eadbab",
        "signature_version": "v1",
        "target": {
            "file": "mm/shmem.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "249166782778335019435745990618143023935",
                "8885100464711786498387210662089916616",
                "229507870597849782057502586241113327531",
                "193958315667464994938924123399107965561"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-40949-e612eb7c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c6c3719ebb7913f8a665d11816d2e38b0eadbab",
        "signature_version": "v1",
        "target": {
            "function": "shmem_replace_folio",
            "file": "mm/shmem.c"
        },
        "digest": {
            "function_hash": "223997310535934612363855601227217867415",
            "length": 1116.0
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.7