CVE-2022-48731

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/kmemleak: avoid scanning potential huge holes

When using devm_request_free_mem_region() and devm_memremap_pages() to add ZONE_DEVICE memory, if requested free mem region's end pfn were huge(e.g., 0x400000000), the node_end_pfn() will be also huge (see move_pfn_range_to_zone()). Thus it creates a huge hole between node_start_pfn() and node_end_pfn().

We found on some AMD APUs, amdkfd requested such a free mem region and created a huge hole. In such a case, following code snippet was just doing busy test_bit() looping on the huge hole.

for (pfn = start_pfn; pfn < end_pfn; pfn++) { struct page *page = pfn_to_online_page(pfn); if (!page) continue; … }

So we got a soft lockup:

watchdog: BUG: soft lockup - CPU#6 stuck for 26s! [bash:1221] CPU: 6 PID: 1221 Comm: bash Not tainted 5.15.0-custom #1 RIP: 0010:pfn_to_online_page+0x5/0xd0 Call Trace: ? kmemleak_scan+0x16a/0x440 kmemleak_write+0x306/0x3a0 ? common_file_perm+0x72/0x170 full_proxy_write+0x5c/0x90 vfs_write+0xb9/0x260 ksys_write+0x67/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae

I did some tests with the patch.

(1) amdgpu module unloaded

before the patch:

real 0m0.976s user 0m0.000s sys 0m0.968s

after the patch:

real 0m0.981s user 0m0.000s sys 0m0.973s

(2) amdgpu module loaded

before the patch:

real 0m35.365s user 0m0.000s sys 0m35.354s

after the patch:

real 0m1.049s user 0m0.000s sys 0m1.042s

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4ef589dc9b10cdcae75a2b2b0e9b2c5e8a92c378 < d3533ee20e9a0e2e8f60384da7450d43d1c63d1aaffected
LinuxLinux4ef589dc9b10cdcae75a2b2b0e9b2c5e8a92c378 < 352715593e81b917ce1b321e794549815b850134affected
LinuxLinux4ef589dc9b10cdcae75a2b2b0e9b2c5e8a92c378 < a5389c80992f0001ee505838fe6a8b20897ce96eaffected
LinuxLinux4ef589dc9b10cdcae75a2b2b0e9b2c5e8a92c378 < cebb0aceb21ad91429617a40e3a17444fabf1529affected
LinuxLinux4ef589dc9b10cdcae75a2b2b0e9b2c5e8a92c378 < c10a0f877fe007021d70f9cada240f42adc2b5dbaffected
LinuxLinux4.14affected
LinuxLinux0 < 4.14unaffected
LinuxLinux5.4.178 <= 5.4.*unaffected
LinuxLinux5.10.99 <= 5.10.*unaffected
LinuxLinux5.15.22 <= 5.15.*unaffected
LinuxLinux5.16.8 <= 5.16.*unaffected
LinuxLinux5.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References