* CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
@ 2024-03-04 18:11 Greg Kroah-Hartman
2024-03-05 18:45 ` Michal Hocko
0 siblings, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-03-04 18:11 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
Hulk Robot reported a panic in put_page_testzero() when testing
madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying
get_any_page(). This is because we keep MF_COUNT_INCREASED flag in
second try but the refcnt is not increased.
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:737!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: release_pages+0x53f/0x840
Call Trace:
free_pages_and_swap_cache+0x64/0x80
tlb_flush_mmu+0x6f/0x220
unmap_page_range+0xe6c/0x12c0
unmap_single_vma+0x90/0x170
unmap_vmas+0xc4/0x180
exit_mmap+0xde/0x3a0
mmput+0xa3/0x250
do_exit+0x564/0x1470
do_group_exit+0x3b/0x100
__do_sys_exit_group+0x13/0x20
__x64_sys_exit_group+0x16/0x20
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Modules linked in:
---[ end trace e99579b570fe0649 ]---
RIP: 0010:release_pages+0x53f/0x840
The Linux kernel CVE team has assigned CVE-2021-47090 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10 with commit b94e02822deb and fixed in 5.10.89 with commit 1f2070767401
Issue introduced in 5.10 with commit b94e02822deb and fixed in 5.15.12 with commit c691e7575eff
Issue introduced in 5.10 with commit b94e02822deb and fixed in 5.16 with commit 2a57d83c78f8
Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47090
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
mm/memory-failure.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1f207076740101fed87074a6bc924dbe806f08a5
https://git.kernel.org/stable/c/c691e7575eff76e563b0199c23ec46bd454f43e3
https://git.kernel.org/stable/c/2a57d83c78f889bf3f54eede908d0643c40d5418
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2024-03-04 18:11 CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Greg Kroah-Hartman
@ 2024-03-05 18:45 ` Michal Hocko
2024-03-05 22:20 ` Greg Kroah-Hartman
0 siblings, 1 reply; 6+ messages in thread
From: Michal Hocko @ 2024-03-05 18:45 UTC (permalink / raw)
To: cve, linux-kernel; +Cc: Greg Kroah-Hartman
On Mon 04-03-24 19:11:17, Greg KH wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
I would like to dispute this CVE. The interface is behind CAP_SYSADMIN
and allowing access to this to any untrusted party is risking serious
troubles. This is a testing only feature.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2024-03-05 18:45 ` Michal Hocko
@ 2024-03-05 22:20 ` Greg Kroah-Hartman
2024-03-06 8:06 ` Michal Hocko
0 siblings, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-03-05 22:20 UTC (permalink / raw)
To: Michal Hocko; +Cc: cve, linux-kernel
On Tue, Mar 05, 2024 at 07:45:04PM +0100, Michal Hocko wrote:
> On Mon 04-03-24 19:11:17, Greg KH wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
>
> I would like to dispute this CVE. The interface is behind CAP_SYSADMIN
> and allowing access to this to any untrusted party is risking serious
> troubles. This is a testing only feature.
This fixes a weakness in the kernel, one that is allowed to crash it,
why isn't that a good thing to have a CVE entry for? Are we saying that
all VM_BUG_ON_PAGE() instances should not be accounted for? That's not
what the config option for CONFIG_DEBUG_VM says, it just says it will
affect performance.
Also /sys/devices/system/memory/soft_offline_page doesn't say "can crash
the system", so it should work properly, even if an admin uses it, it
shouldn't shut the box down.
confused,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2024-03-05 22:20 ` Greg Kroah-Hartman
@ 2024-03-06 8:06 ` Michal Hocko
2024-03-06 8:40 ` Greg Kroah-Hartman
2024-03-06 8:41 ` Greg Kroah-Hartman
0 siblings, 2 replies; 6+ messages in thread
From: Michal Hocko @ 2024-03-06 8:06 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: cve, linux-kernel
On Tue 05-03-24 22:20:17, Greg KH wrote:
> On Tue, Mar 05, 2024 at 07:45:04PM +0100, Michal Hocko wrote:
> > On Mon 04-03-24 19:11:17, Greg KH wrote:
> > > Description
> > > ===========
> > >
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
> >
> > I would like to dispute this CVE. The interface is behind CAP_SYSADMIN
> > and allowing access to this to any untrusted party is risking serious
> > troubles. This is a testing only feature.
>
> This fixes a weakness in the kernel, one that is allowed to crash it,
> why isn't that a good thing to have a CVE entry for? Are we saying that
> all VM_BUG_ON_PAGE() instances should not be accounted for? That's not
> what the config option for CONFIG_DEBUG_VM says, it just says it will
> affect performance.
I wouldn't personaly recommend anybody using CONFIG_DEBUG_VM=y in
production. But I am not questioning if somebody does that. This is
not really what I am objecting to. Hwpoisoning or soft offlining is not
aimed for other than testing purposes. Things can go wrong during
these oprations.
If you insist this still qualifies as a vulnaribility/weakness fix then
I would propose a new category pig-with-a-lipstick-CVE.
> Also /sys/devices/system/memory/soft_offline_page doesn't say "can crash
> the system", so it should work properly, even if an admin uses it, it
> shouldn't shut the box down.
I agree that Documentation/ABI/testing/sysfs-memory-page-offline would
benefit from an update. Documentation/admin-guide/mm/memory-hotplug.rst
is explicit about this being a testing feature.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2024-03-06 8:06 ` Michal Hocko
@ 2024-03-06 8:40 ` Greg Kroah-Hartman
2024-03-06 8:41 ` Greg Kroah-Hartman
1 sibling, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-03-06 8:40 UTC (permalink / raw)
To: Michal Hocko; +Cc: cve, linux-kernel
On Wed, Mar 06, 2024 at 09:06:42AM +0100, Michal Hocko wrote:
> On Tue 05-03-24 22:20:17, Greg KH wrote:
> > On Tue, Mar 05, 2024 at 07:45:04PM +0100, Michal Hocko wrote:
> > > On Mon 04-03-24 19:11:17, Greg KH wrote:
> > > > Description
> > > > ===========
> > > >
> > > > In the Linux kernel, the following vulnerability has been resolved:
> > > >
> > > > mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
> > >
> > > I would like to dispute this CVE. The interface is behind CAP_SYSADMIN
> > > and allowing access to this to any untrusted party is risking serious
> > > troubles. This is a testing only feature.
> >
> > This fixes a weakness in the kernel, one that is allowed to crash it,
> > why isn't that a good thing to have a CVE entry for? Are we saying that
> > all VM_BUG_ON_PAGE() instances should not be accounted for? That's not
> > what the config option for CONFIG_DEBUG_VM says, it just says it will
> > affect performance.
>
> I wouldn't personaly recommend anybody using CONFIG_DEBUG_VM=y in
> production. But I am not questioning if somebody does that. This is
> not really what I am objecting to. Hwpoisoning or soft offlining is not
> aimed for other than testing purposes. Things can go wrong during
> these oprations.
Agreed, things can go wrong, but people use them for "reasons" otherwise
we wouldn't have those options in the kernel at all. Because of that,
this "fix for a weakness" was given a CVE, that's all.
Again, we do not dictate use case, or severity at all, that's not our
role.
> If you insist this still qualifies as a vulnaribility/weakness fix then
> I would propose a new category pig-with-a-lipstick-CVE.
>
> > Also /sys/devices/system/memory/soft_offline_page doesn't say "can crash
> > the system", so it should work properly, even if an admin uses it, it
> > shouldn't shut the box down.
>
> I agree that Documentation/ABI/testing/sysfs-memory-page-offline would
> benefit from an update. Documentation/admin-guide/mm/memory-hotplug.rst
> is explicit about this being a testing feature.
The fact that I didn't even notice that is kind of proof that maybe
others might also miss it :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2024-03-06 8:06 ` Michal Hocko
2024-03-06 8:40 ` Greg Kroah-Hartman
@ 2024-03-06 8:41 ` Greg Kroah-Hartman
1 sibling, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2024-03-06 8:41 UTC (permalink / raw)
To: Michal Hocko; +Cc: cve, linux-kernel
On Wed, Mar 06, 2024 at 09:06:42AM +0100, Michal Hocko wrote:
> If you insist this still qualifies as a vulnaribility/weakness fix then
> I would propose a new category pig-with-a-lipstick-CVE.
We don't get to pick "categories" for CVEs, that's what other people do,
and I wish them the best of luck! :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-03-06 8:41 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-04 18:11 CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Greg Kroah-Hartman
2024-03-05 18:45 ` Michal Hocko
2024-03-05 22:20 ` Greg Kroah-Hartman
2024-03-06 8:06 ` Michal Hocko
2024-03-06 8:40 ` Greg Kroah-Hartman
2024-03-06 8:41 ` Greg Kroah-Hartman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.