cve-2023-52489
Vulnerability from cvelistv5
Published
2024-02-29 15:52
Modified
2024-12-19 08:20
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated---
Impacted products
Vendor Product Version
Linux Linux Version: 5.3
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52489",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T14:56:15.828991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:22:46.560Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:20.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mmzone.h",
            "mm/sparse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "90ad17575d26874287271127d43ef3c2af876cea",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            },
            {
              "lessThan": "b448de2459b6d62a53892487ab18b7d823ff0529",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            },
            {
              "lessThan": "68ed9e33324021e9d6b798e9db00ca3093d2012a",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            },
            {
              "lessThan": "70064241f2229f7ba7b9599a98f68d9142e81a97",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            },
            {
              "lessThan": "3a01daace71b521563c38bbbf874e14c3e58adb7",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            },
            {
              "lessThan": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800",
              "status": "affected",
              "version": "f46edbd1b1516da1fb34c917775168d5df576f78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/mmzone.h",
            "mm/sparse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/sparsemem: fix race in accessing memory_section-\u003eusage\n\nThe below race is observed on a PFN which falls into the device memory\nregion with the system memory configuration where PFN\u0027s are such that\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL].  Since normal zone start and end\npfn contains the device memory PFN\u0027s as well, the compaction triggered\nwill try on the device memory PFN\u0027s too though they end up in NOP(because\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections).  When\nfrom other core, the section mappings are being removed for the\nZONE_DEVICE region, that the PFN in question belongs to, on which\ncompaction is currently being operated is resulting into the kernel crash\nwith CONFIG_SPASEMEM_VMEMAP enabled.  The crash logs can be seen at [1].\n\ncompact_zone()\t\t\tmemunmap_pages\n-------------\t\t\t---------------\n__pageblock_pfn_to_page\n   ......\n (a)pfn_valid():\n     valid_section()//return true\n\t\t\t      (b)__remove_pages()-\u003e\n\t\t\t\t  sparse_remove_section()-\u003e\n\t\t\t\t    section_deactivate():\n\t\t\t\t    [Free the array ms-\u003eusage and set\n\t\t\t\t     ms-\u003eusage = NULL]\n     pfn_section_valid()\n     [Access ms-\u003eusage which\n     is NULL]\n\nNOTE: From the above it can be said that the race is reduced to between\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\nSPASEMEM_VMEMAP enabled.\n\nThe commit b943f045a9af(\"mm/sparse: fix kernel crash with\npfn_section_valid check\") tried to address the same problem by clearing\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\nfalse thus ms-\u003eusage is not accessed.\n\nFix this issue by the below steps:\n\na) Clear SECTION_HAS_MEM_MAP before freeing the -\u003eusage.\n\nb) RCU protected read side critical section will either return NULL\n   when SECTION_HAS_MEM_MAP is cleared or can successfully access -\u003eusage.\n\nc) Free the -\u003eusage with kfree_rcu() and set ms-\u003eusage = NULL.  No\n   attempt will be made to access -\u003eusage after this as the\n   SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\n\nThanks to David/Pavan for their inputs on this patch.\n\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\n\nOn Snapdragon SoC, with the mentioned memory configuration of PFN\u0027s as\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\nissues daily while testing on a device farm.\n\nFor this particular issue below is the log.  Though the below log is\nnot directly pointing to the pfn_section_valid(){ ms-\u003eusage;}, when we\nloaded this dump on T32 lauterbach tool, it is pointing.\n\n[  540.578056] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n[  540.578068] Mem abort info:\n[  540.578070]   ESR = 0x0000000096000005\n[  540.578073]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  540.578077]   SET = 0, FnV = 0\n[  540.578080]   EA = 0, S1PTW = 0\n[  540.578082]   FSC = 0x05: level 1 translation fault\n[  540.578085] Data abort info:\n[  540.578086]   ISV = 0, ISS = 0x00000005\n[  540.578088]   CM = 0, WnR = 0\n[  540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\n[  540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\n[  540.579454] lr : compact_zone+0x994/0x1058\n[  540.579460] sp : ffffffc03579b510\n[  540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\n[  540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\n[  540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\n[  540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\n[  540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\n[  540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\n[  540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\n[  540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\n[  540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:20:47.821Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea"
        },
        {
          "url": "https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529"
        },
        {
          "url": "https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a"
        },
        {
          "url": "https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800"
        }
      ],
      "title": "mm/sparsemem: fix race in accessing memory_section-\u003eusage",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52489",
    "datePublished": "2024-02-29T15:52:08.718Z",
    "dateReserved": "2024-02-20T12:30:33.302Z",
    "dateUpdated": "2024-12-19T08:20:47.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52489\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-11T18:15:16.673\",\"lastModified\":\"2024-11-21T08:39:53.273\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/sparsemem: fix race in accessing memory_section-\u003eusage\\n\\nThe below race is observed on a PFN which falls into the device memory\\nregion with the system memory configuration where PFN\u0027s are such that\\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL].  Since normal zone start and end\\npfn contains the device memory PFN\u0027s as well, the compaction triggered\\nwill try on the device memory PFN\u0027s too though they end up in NOP(because\\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections).  When\\nfrom other core, the section mappings are being removed for the\\nZONE_DEVICE region, that the PFN in question belongs to, on which\\ncompaction is currently being operated is resulting into the kernel crash\\nwith CONFIG_SPASEMEM_VMEMAP enabled.  The crash logs can be seen at [1].\\n\\ncompact_zone()\\t\\t\\tmemunmap_pages\\n-------------\\t\\t\\t---------------\\n__pageblock_pfn_to_page\\n   ......\\n (a)pfn_valid():\\n     valid_section()//return true\\n\\t\\t\\t      (b)__remove_pages()-\u003e\\n\\t\\t\\t\\t  sparse_remove_section()-\u003e\\n\\t\\t\\t\\t    section_deactivate():\\n\\t\\t\\t\\t    [Free the array ms-\u003eusage and set\\n\\t\\t\\t\\t     ms-\u003eusage = NULL]\\n     pfn_section_valid()\\n     [Access ms-\u003eusage which\\n     is NULL]\\n\\nNOTE: From the above it can be said that the race is reduced to between\\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\\nSPASEMEM_VMEMAP enabled.\\n\\nThe commit b943f045a9af(\\\"mm/sparse: fix kernel crash with\\npfn_section_valid check\\\") tried to address the same problem by clearing\\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\\nfalse thus ms-\u003eusage is not accessed.\\n\\nFix this issue by the below steps:\\n\\na) Clear SECTION_HAS_MEM_MAP before freeing the -\u003eusage.\\n\\nb) RCU protected read side critical section will either return NULL\\n   when SECTION_HAS_MEM_MAP is cleared or can successfully access -\u003eusage.\\n\\nc) Free the -\u003eusage with kfree_rcu() and set ms-\u003eusage = NULL.  No\\n   attempt will be made to access -\u003eusage after this as the\\n   SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\\n\\nThanks to David/Pavan for their inputs on this patch.\\n\\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\\n\\nOn Snapdragon SoC, with the mentioned memory configuration of PFN\u0027s as\\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\\nissues daily while testing on a device farm.\\n\\nFor this particular issue below is the log.  Though the below log is\\nnot directly pointing to the pfn_section_valid(){ ms-\u003eusage;}, when we\\nloaded this dump on T32 lauterbach tool, it is pointing.\\n\\n[  540.578056] Unable to handle kernel NULL pointer dereference at\\nvirtual address 0000000000000000\\n[  540.578068] Mem abort info:\\n[  540.578070]   ESR = 0x0000000096000005\\n[  540.578073]   EC = 0x25: DABT (current EL), IL = 32 bits\\n[  540.578077]   SET = 0, FnV = 0\\n[  540.578080]   EA = 0, S1PTW = 0\\n[  540.578082]   FSC = 0x05: level 1 translation fault\\n[  540.578085] Data abort info:\\n[  540.578086]   ISV = 0, ISS = 0x00000005\\n[  540.578088]   CM = 0, WnR = 0\\n[  540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\\n[  540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\\n[  540.579454] lr : compact_zone+0x994/0x1058\\n[  540.579460] sp : ffffffc03579b510\\n[  540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\\n[  540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\\n[  540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\\n[  540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\\n[  540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\\n[  540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\\n[  540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\\n[  540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\\n[  540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm/sparsemem: corrige la carrera al acceder a la secci\u00f3n_memoria-\u0026gt;uso La siguiente carrera se observa en un PFN que cae en la regi\u00f3n de memoria del dispositivo con la configuraci\u00f3n de memoria del sistema donde los PFN son tales que [ ZONA_NORMAL ZONA_DISPOSITIVO ZONA_NORMAL]. Dado que el pfn de inicio y fin de zona normal tambi\u00e9n contiene los PFN de la memoria del dispositivo, la compactaci\u00f3n activada probar\u00e1 tambi\u00e9n los PFN de la memoria del dispositivo aunque terminen en NOP (porque pfn_to_online_page() devuelve NULL para las secciones de memoria ZONE_DEVICE). Cuando desde otro n\u00facleo, las asignaciones de secci\u00f3n se eliminan para la regi\u00f3n ZONE_DEVICE, a la que pertenece el PFN en cuesti\u00f3n, en la que se est\u00e1 operando la compactaci\u00f3n actualmente, se produce el bloqueo del kernel con CONFIG_SPASEMEM_VMEMAP habilitado. Los registros de fallos se pueden ver en [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()/ /return true (b)__remove_pages()-\u0026gt; sparse_remove_section()-\u0026gt; section_deactivate(): [Libere la matriz ms-\u0026gt;usage y establezca ms-\u0026gt;usage = NULL] pfn_section_valid() [Acceda a ms-\u0026gt;usage que es NULL] NOTA: De lo anterior se puede decir que la carrera se reduce a entre pfn_valid()/pfn_section_valid() y la secci\u00f3n desactivada con SPASEMEM_VMEMAP habilitado. La confirmaci\u00f3n b943f045a9af(\\\"mm/sparse: fix kernel crash with pfn_section_valid check\\\") intent\u00f3 solucionar el mismo problema borrando SECTION_HAS_MEM_MAP con la expectativa de que valid_section() devuelva false, por lo que no se accede a ms-\u0026gt;usage. Solucione este problema siguiendo los pasos a continuaci\u00f3n: a) Borre SECTION_HAS_MEM_MAP antes de liberar el -\u0026gt;uso. b) La secci\u00f3n cr\u00edtica del lado de lectura protegida por RCU devolver\u00e1 NULL cuando se borre SECTION_HAS_MEM_MAP o podr\u00e1 acceder con \u00e9xito a -\u0026gt;uso. c) Libere -\u0026gt;usage con kfree_rcu() y establezca ms-\u0026gt;usage = NULL. No se intentar\u00e1 acceder a -\u0026gt;uso despu\u00e9s de esto, ya que SECTION_HAS_MEM_MAP se borra, por lo que valid_section() devuelve falso. Gracias a David/Pavan por sus aportes en este parche. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ En Snapdragon SoC, con la configuraci\u00f3n de memoria mencionada de PFN como [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], pueden ver una gran cantidad de problemas diariamente mientras realizan pruebas en una granja de dispositivos. Para este problema en particular, a continuaci\u00f3n se encuentra el registro. Aunque el siguiente registro no apunta directamente a pfn_section_valid(){ ms-\u0026gt;usage;}, cuando cargamos este volcado en la herramienta Lauterbach T32, s\u00ed apunta. [ 540.578056] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000000 [ 540.578068] Informaci\u00f3n de cancelaci\u00f3n de memoria: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT ( EL actual), IL = 32 bits [ 540.578077] SET = 0 , FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: error de traducci\u00f3n de nivel 1 [ 540.578085] Informaci\u00f3n de cancelaci\u00f3n de datos: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088 ] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x10 58 [540.579460] sp: ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:00000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:00000000000000000 [ 540.579483] x20: 0 000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 00000000000000 00 x12:0000000000000001 [ 540.579501]---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.