Description

In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]

Weaknesses 1

Affected Products 9

References 3

• git.kernel.org https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312
  Patch
• git.kernel.org https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab
  Patch
• git.kernel.org https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae
  Patch

Remediation

• git.kernel.org https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312
  Patch
• git.kernel.org https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab
  Patch
• git.kernel.org https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae
  Patch