AI Score
Confidence
Low
EPSS
Percentile
15.6%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
In the Linux kernel, the following vulnerability has been resolved:
mm/kmemleak: avoid scanning potential huge holes
When using devm_request_free_mem_region() and devm_memremap_pages() to
add ZONE_DEVICE memory, if requested free mem region’s end pfn were
huge(e.g., 0x400000000), the node_end_pfn() will be also huge (see
move_pfn_range_to_zone()). Thus it creates a huge hole between
node_start_pfn() and node_end_pfn().
We found on some AMD APUs, amdkfd requested such a free mem region and
created a huge hole. In such a case, following code snippet was just
doing busy test_bit() looping on the huge hole.
for (pfn = start_pfn; pfn < end_pfn; pfn++) {
struct page *page = pfn_to_online_page(pfn);
if (!page)
continue;
…
}
So we got a soft lockup:
watchdog: BUG: soft lockup - CPU#6 stuck for 26s! [bash:1221]
CPU: 6 PID: 1221 Comm: bash Not tainted 5.15.0-custom #1
RIP: 0010:pfn_to_online_page+0x5/0xd0
Call Trace:
? kmemleak_scan+0x16a/0x440
kmemleak_write+0x306/0x3a0
? common_file_perm+0x72/0x170
full_proxy_write+0x5c/0x90
vfs_write+0xb9/0x260
ksys_write+0x67/0xe0
__x64_sys_write+0x1a/0x20
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
I did some tests with the patch.
(1) amdgpu module unloaded
before the patch:
real 0m0.976s
user 0m0.000s
sys 0m0.968s
after the patch:
real 0m0.981s
user 0m0.000s
sys 0m0.973s
(2) amdgpu module loaded
before the patch:
real 0m35.365s
user 0m0.000s
sys 0m35.354s
after the patch:
real 0m1.049s
user 0m0.000s
sys 0m1.042s
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "1da177e4c3f4",
"lessThan": "d3533ee20e9a",
"versionType": "git"
},
{
"status": "affected",
"version": "1da177e4c3f4",
"lessThan": "352715593e81",
"versionType": "git"
},
{
"status": "affected",
"version": "1da177e4c3f4",
"lessThan": "a5389c80992f",
"versionType": "git"
},
{
"status": "affected",
"version": "1da177e4c3f4",
"lessThan": "cebb0aceb21a",
"versionType": "git"
},
{
"status": "affected",
"version": "1da177e4c3f4",
"lessThan": "c10a0f877fe0",
"versionType": "git"
}
],
"programFiles": [
"mm/kmemleak.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "unaffected",
"version": "5.4.178",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.99",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.15.22",
"versionType": "custom",
"lessThanOrEqual": "5.15.*"
},
{
"status": "unaffected",
"version": "5.16.8",
"versionType": "custom",
"lessThanOrEqual": "5.16.*"
},
{
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"mm/kmemleak.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/352715593e81b917ce1b321e794549815b850134
git.kernel.org/stable/c/a5389c80992f0001ee505838fe6a8b20897ce96e
git.kernel.org/stable/c/c10a0f877fe007021d70f9cada240f42adc2b5db
git.kernel.org/stable/c/cebb0aceb21ad91429617a40e3a17444fabf1529
git.kernel.org/stable/c/d3533ee20e9a0e2e8f60384da7450d43d1c63d1a