CVE-2024-53105

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53105
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53105.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53105
Downstream
Related
Published
2024-12-02T13:44:38Z
Modified
2025-10-10T02:26:00.678188Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
mm: page_alloc: move mlocked flag clearance into free_pages_prepare()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: pagealloc: move mlocked flag clearance into freepages_prepare()

Syzbot reported a bad page state problem caused by a page being freed using freepage() still having a mlocked flag at freepages_prepare() stage:

BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGEFLAGSCHECKATFREE flag(s) set pageowner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfpmask 0x400dc0(GFPKERNELACCOUNT|_GFPZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, freets 201499827394 setpageowner include/linux/pageowner.h:32 [inline] postallochook+0x1f3/0x230 mm/pagealloc.c:1537 prepnewpage mm/pagealloc.c:1545 [inline] getpagefromfreelist+0x303f/0x3190 mm/pagealloc.c:3457 _allocpagesnoprof+0x292/0x710 mm/pagealloc.c:4733 allocpagesmpolnoprof+0x3e8/0x680 mm/mempolicy.c:2265 kvmcoalescedmmioinit+0x1f/0xf0 virt/kvm/coalescedmmio.c:99 kvmcreatevm virt/kvm/kvmmain.c:1235 [inline] kvmdevioctlcreatevm virt/kvm/kvmmain.c:5488 [inline] kvmdevioctl+0x12dc/0x2240 virt/kvm/kvmmain.c:5530 _docompatsysioctl fs/ioctl.c:1007 [inline] _secompatsysioctl+0x510/0xc90 fs/ioctl.c:950 dosyscall32irqson arch/x86/entry/common.c:165 [inline] _dofastsyscall32+0xb4/0x110 arch/x86/entry/common.c:386 dofastsyscall32+0x34/0x80 arch/x86/entry/common.c:411 entrySYSENTERcompatafterhwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: resetpageowner include/linux/pageowner.h:25 [inline] freepagesprepare mm/pagealloc.c:1108 [inline] freeunreffolios+0xf12/0x18d0 mm/pagealloc.c:2686 foliosputrefs+0x76c/0x860 mm/swap.c:1007 freepagesandswapcache+0x5c8/0x690 mm/swapstate.c:335 _tlbbatchfreeencodedpages mm/mmugather.c:136 [inline] tlbbatchpagesflush mm/mmugather.c:149 [inline] tlbflushmmufree mm/mmugather.c:366 [inline] tlbflushmmu+0x3a3/0x680 mm/mmugather.c:373 tlbfinishmmu+0xd4/0x200 mm/mmugather.c:465 exitmmap+0x496/0xc40 mm/mmap.c:1926 _mmput+0x115/0x390 kernel/fork.c:1348 exitmm+0x220/0x310 kernel/exit.c:571 doexit+0x9b2/0x28e0 kernel/exit.c:926 dogroupexit+0x207/0x2c0 kernel/exit.c:1088 _dosysexitgroup kernel/exit.c:1099 [inline] _sesysexitgroup kernel/exit.c:1097 [inline] _x64sysexitgroup+0x3f/0x40 kernel/exit.c:1097 x64syscall+0x2634/0x2640 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 badpage+0x176/0x1d0 mm/pagealloc.c:501 freepageisbad mm/pagealloc.c:918 [inline] freepagesprepare mm/pagealloc.c:1100 [inline] freeunrefpage+0xed0/0xf20 mm/pagealloc.c:2638 kvmdestroyvm virt/kvm/kvmmain.c:1327 [inline] kvmputkvm+0xc75/0x1350 virt/kvm/kvmmain.c:1386 kvmvcpurelease+0x54/0x60 virt/kvm/kvmmain.c:4143 _fput+0x23f/0x880 fs/filetable.c:431 taskworkrun+0x24f/0x310 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:43 [inline] doexit+0xa2f/0x28e0 kernel/exit.c:939 dogroupexit+0x207/0x2c0 kernel/exit.c:1088 _dosysexitgroup kernel/exit.c:1099 [in ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b109b87050df5438ee745b2bddfa3587970025bb
Fixed
2521664c1fc0fcea825ef0b4d8e2dfb622bc0f9a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b109b87050df5438ee745b2bddfa3587970025bb
Fixed
81ad32b87eb91b627a4b0d8760434e5fac4b993a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b109b87050df5438ee745b2bddfa3587970025bb
Fixed
7873d11911cd1d21e25c354eb130d8c3b5cb3ca5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b109b87050df5438ee745b2bddfa3587970025bb
Fixed
66edc3a5894c74f8887c8af23b97593a0dd0df4d

Affected versions

v5.*

v5.17
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.110
v6.1.111
v6.1.112
v6.1.113
v6.1.114
v6.1.115
v6.1.116
v6.1.117
v6.1.118
v6.1.119
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.1.120
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.66
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.10