In the Linux kernel, the following vulnerability has been resolved:
mm/mglru: fix div-by-zero in vmpressurecalclevel()
evictfolios() uses a second pass to reclaim folios that have gone through page writeback and become clean before it finishes the first pass, since foliorotate_reclaimable() cannot handle those folios due to the isolation.
The second pass tries to avoid potential double counting by deducting scancontrol->nrscanned. However, this can result in underflow of nrscanned, under a condition where shrinkfoliolist() does not increment nrscanned, i.e., when folio_trylock() fails.
The underflow can cause the divisor, i.e., scale=scanned+reclaimed in vmpressurecalclevel(), to become zero, resulting in the following crash:
[exception RIP: vmpressureworkfn+101] processonework at ffffffffa3313f2b
Since scancontrol->nrscanned has no established semantics, the potential double counting has minimal risks. Therefore, fix the problem by not deducting scancontrol->nrscanned in evict_folios().
{ "vanir_signatures": [ { "id": "CVE-2024-42316-4e83ec55", "target": { "function": "evict_folios", "file": "mm/vmscan.c" }, "digest": { "length": 1865.0, "function_hash": "7843284105297096139323252950684273711" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b671fe1a879923ecfb72dda6caf01460dd885ef", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-42316-512b0d0e", "target": { "file": "mm/vmscan.c" }, "digest": { "line_hashes": [ "322910299138612881846350341226183027094", "65885444317123748534122132554655635058", "203562608094015608891562759046165471096", "21301563934266594227196568554554600957" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de7bf77f21068a5f602bb1e59adbc5ab533509d", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-42316-797065e8", "target": { "function": "evict_folios", "file": "mm/vmscan.c" }, "digest": { "length": 1882.0, "function_hash": "31249362742101069982573210584319556691" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8de7bf77f21068a5f602bb1e59adbc5ab533509d", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-42316-946c3d3b", "target": { "file": "mm/vmscan.c" }, "digest": { "line_hashes": [ "322910299138612881846350341226183027094", "65885444317123748534122132554655635058", "203562608094015608891562759046165471096", "21301563934266594227196568554554600957" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b671fe1a879923ecfb72dda6caf01460dd885ef", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-42316-996f8da1", "target": { "function": "evict_folios", "file": "mm/vmscan.c" }, "digest": { "length": 1796.0, "function_hash": "17037460669947121803281386367153825938" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6510f234c7d117790397f9bb150816b0a954a04", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-42316-a95a236f", "target": { "file": "mm/vmscan.c" }, "digest": { "line_hashes": [ "322910299138612881846350341226183027094", "65885444317123748534122132554655635058", "203562608094015608891562759046165471096", "21301563934266594227196568554554600957" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a39e38be632f0e1c908d70d1c9cd071c03faf895", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-42316-c4cc993c", "target": { "file": "mm/vmscan.c" }, "digest": { "line_hashes": [ "322910299138612881846350341226183027094", "65885444317123748534122132554655635058", "203562608094015608891562759046165471096", "21301563934266594227196568554554600957" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6510f234c7d117790397f9bb150816b0a954a04", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-42316-d18949af", "target": { "function": "evict_folios", "file": "mm/vmscan.c" }, "digest": { "length": 1865.0, "function_hash": "7843284105297096139323252950684273711" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a39e38be632f0e1c908d70d1c9cd071c03faf895", "deprecated": false, "signature_type": "Function", "signature_version": "v1" } ] }