In the Linux kernel, a vulnerability has been resolved, thanks to the efforts of sysbot, which reported a splat [1] on __unmap_hugepage_range() [1]. This issue arises due to the fact that vma_needs_reservation() can return -ENOMEM if allocate_file_region_entries() fails to allocate the file_region struct for the reservation.
In order to address this issue and prevent further complications, it has been proposed to not call vma_add_reservation() if allocate_file_region_entries() results in -ENOMEM. By implementing this fix, region_abort() and region_del() will not be affected by the fact that there are no file_regions.
Moreover, if it is detected that vma_needs_reservation() returns -ENOMEM, the hugetlb_restore_reserve flag will be cleared, which will treat that reservation as if it were still consumed, preventing free_huge_folio() from incrementing the resv count.
Here is a code snippet that illustrates the change
/* old code */
if (vma_needs_reservation(h, vma, address))
ret = vma_add_reservation(hstate_vma(vma), vma, address);
/* new code */
ret = vma_needs_reservation(h, vma, address);
if (ret != -ENOMEM)
ret = vma_add_reservation(hstate_vma(vma), vma, address);
This change ensures that vma_add_reservation() is only called if vma_needs_reservation() does not return -ENOMEM, safeguarding the rest of the code from related issues.
For more information regarding the issue, its identification, and resolution, you can refer to the original message from sysbot [1].
In conclusion, the Linux kernel vulnerability CVE-2024-39477 has been effectively resolved. By updating the calling of vma_add_reservation(), the kernel now handles the case when vma_needs_reservation() returns -ENOMEM correctly, preventing further crashes and issues related to the unmap_hugepage_range() function.
References
Timeline
Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:12 UTC