概要

In the Linux kernel, the following vulnerability has been resolved: riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context __kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages. This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff800060dc&gt;] dump_backtrace+0x1c/0x24 [<ffffffff8091ef6e&gt;] show_stack+0x2c/0x38 [<ffffffff8092baf8&gt;] dump_stack_lvl+0x5a/0x72 [<ffffffff8092bb24&gt;] dump_stack+0x14/0x1c [<ffffffff8003b7ac&gt;] __might_resched+0x104/0x10e [<ffffffff8003b7f4&gt;] __might_sleep+0x3e/0x62 [<ffffffff8093276a&gt;] down_write+0x20/0x72 [<ffffffff8000cf00&gt;] __set_memory+0x82/0x2fa [<ffffffff8000d324&gt;] __kernel_map_pages+0x5a/0xd4 [<ffffffff80196cca&gt;] __alloc_pages_bulk+0x3b2/0x43a [<ffffffff8018ee82&gt;] __vmalloc_node_range+0x196/0x6ba [<ffffffff80011904&gt;] copy_process+0x72c/0x17ec [<ffffffff80012ab4&gt;] kernel_clone+0x60/0x2fe [<ffffffff80012f62&gt;] kernel_thread+0x82/0xa0 [<ffffffff8003552c&gt;] kthreadd+0x14a/0x1be [<ffffffff809357de&gt;] ret_from_fork+0xe/0x1c Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.

CVSS v3 指标

安全公告

影响产品