CVE-2024-57884

In the Linux kernel, the following vulnerability has been resolved:

mm: vmscan: account for free pages to prevent infinite Loop in throttledirectreclaim()

The task sometimes continues looping in throttledirectreclaim() because allowdirectreclaim(pgdat) keeps returning false.

#0 [ffff80002cb6f8d0] _switchto at ffff8000080095ac #1 [ffff80002cb6f900] _schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttledirectreclaim at ffff800008273550 #4 [ffff80002cb6fa20] trytofreepages at ffff800008277b68 #5 [ffff80002cb6fae0] _allocpagesnodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] allocpagesvma at ffff8000082e4a98 #7 [ffff80002cb6fca0] doanonymouspage at ffff80000829f5a8 #8 [ffff80002cb6fce0] _handlemmfault at ffff8000082a5974 #9 [ffff80002cb6fd90] handlemmfault at ffff8000082a5bd4

At this point, the pgdat contains the following two zones:

    NODE: 4  ZONE: 0  ADDR: ffff00817fffe540  NAME: "DMA32"
      SIZE: 20480  MIN/LOW/HIGH: 11/28/45
      VM_STAT:
            NR_FREE_PAGES: 359
    NR_ZONE_INACTIVE_ANON: 18813
      NR_ZONE_ACTIVE_ANON: 0
    NR_ZONE_INACTIVE_FILE: 50
      NR_ZONE_ACTIVE_FILE: 0
      NR_ZONE_UNEVICTABLE: 0
    NR_ZONE_WRITE_PENDING: 0
                 NR_MLOCK: 0
                NR_BOUNCE: 0
               NR_ZSPAGES: 0
        NR_FREE_CMA_PAGES: 0

    NODE: 4  ZONE: 1  ADDR: ffff00817fffec00  NAME: "Normal"
      SIZE: 8454144  PRESENT: 98304  MIN/LOW/HIGH: 68/166/264
      VM_STAT:
            NR_FREE_PAGES: 146
    NR_ZONE_INACTIVE_ANON: 94668
      NR_ZONE_ACTIVE_ANON: 3
    NR_ZONE_INACTIVE_FILE: 735
      NR_ZONE_ACTIVE_FILE: 78
      NR_ZONE_UNEVICTABLE: 0
    NR_ZONE_WRITE_PENDING: 0
                 NR_MLOCK: 0
                NR_BOUNCE: 0
               NR_ZSPAGES: 0
        NR_FREE_CMA_PAGES: 0

In allowdirectreclaim(), while processing ZONEDMA32, the sum of inactive/active file-backed pages calculated in zonereclaimablepages() based on the result of zonepagestatesnapshot() is zero.

Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped.

    crash> p nr_swap_pages
    nr_swap_pages = $1937 = {
      counter = 0
    }

As a result, ZONEDMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONENORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark.

The problem is that the pgdat->kswapd_failures hasn't been incremented.

    crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures
    $1935 = 0x0

This is because the node deemed balanced. The node balancing logic in balancepgdat() evaluates all zones collectively. If one or more zones (e.g., ZONEDMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balancepgdat() to exit early before incrementing the kswapdfailures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure.

The patch ensures that zonereclaimablepages() includes free pages (NRFREEPAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONEDMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONENORMAL, and prevents infinite loops in throttledirectreclaim() caused by allowdirectreclaim(pgdat) repeatedly returning false.

The kernel hangs due to a task stuck in throttledirectreclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONENORMAL. This issue arises from zonereclaimable_pages ---truncated---