{"id":"CVE-2024-56673","summary":"riscv: mm: Do not call pmd dtor on vmemmap page table teardown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n  | tools/testing/selftests/mm# ./test_hmm.sh smoke\n  | ... # when unloading the test_hmm.ko module\n  | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n  | flags: 0x1000000000000000(node=0|zone=1)\n  | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n  | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n  | page dumped because: VM_BUG_ON_PAGE(ptdesc-\u003epmd_huge_pte)\n  | ------------[ cut here ]------------\n  | kernel BUG at include/linux/mm.h:3080!\n  | Kernel BUG [#1]\n  | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n  | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G        W          6.12.0-00982-gf2a4f1682d07 #2\n  | Tainted: [W]=WARN\n  | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n  | epc : remove_pgd_mapping+0xbec/0x1070\n  |  ra : remove_pgd_mapping+0xbec/0x1070\n  | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n  |  gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n  |  t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n  |  s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n  |  a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n  |  a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n  |  s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n  |  s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n  |  s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n  |  s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n  |  t5 : ff60000080244000 t6 : ff20000000a73708\n  | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n  | [\u003cffffffff80010a68\u003e] remove_pgd_mapping+0xbec/0x1070\n  | [\u003cffffffff80fd238e\u003e] vmemmap_free+0x14/0x1e\n  | [\u003cffffffff8032e698\u003e] section_deactivate+0x220/0x452\n  | [\u003cffffffff8032ef7e\u003e] sparse_remove_section+0x4a/0x58\n  | [\u003cffffffff802f8700\u003e] __remove_pages+0x7e/0xba\n  | [\u003cffffffff803760d8\u003e] memunmap_pages+0x2bc/0x3fe\n  | [\u003cffffffff02a3ca28\u003e] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n  | [\u003cffffffff02a3e026\u003e] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n  | [\u003cffffffff80102c14\u003e] __riscv_sys_delete_module+0x15a/0x2a6\n  | [\u003cffffffff80fd020c\u003e] do_trap_ecall_u+0x1f2/0x266\n  | [\u003cffffffff80fde0a2\u003e] _new_vmalloc_restore_context_a0+0xc6/0xd2\n  | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n  | ---[ end trace 0000000000000000 ]---\n  | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().","modified":"2026-03-20T12:39:55.412482Z","published":"2024-12-27T15:06:34.280Z","related":["USN-7379-2","USN-7380-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56673.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10"},{"type":"WEB","url":"https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56673.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56673"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c75a74f4ba19c904c0ae1e011ae2568449409ae4"},{"fixed":"344945806f2f7af68be98bac02836c867f223aa9"},{"fixed":"21f1b85c8912262adf51707e63614a114425eb10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56673.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}