cbcvebase.
CVE-2024-26987
published 2024-05-01

CVE-2024-26987: In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled When I did hard…

PriorityP278medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.18%
7.2th percentile
In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled When I did hard offline test with hugetlb pages, below deadlock occurs: WARNING: possible circular locking dependency detected 6.8.0-11409-gf6cef5f8c37f #1 Not tainted bash/46904 is trying to acquire lock: ffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60 but task is already holding lock: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (pcp_batch_high_lock){+.+.}-{3:3}: __mutex_lock+0x6c/0x770 page_alloc_cpu_online+0x3c/0x70 cpuhp_invoke_callback+0x397/0x5f0 __cpuhp_invoke_callback_range+0x71/0xe0 _cpu_up+0xeb/0x210 cpu_up+0x91/0xe0 cpuhp_bringup_mask+0x49/0xb0 bringup_nonboot_cpus+0xb7/0xe0 smp_init+0x25/0xa0 kernel_init_freeable+0x15f/0x3e0 kernel_init+0x15/0x1b0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 -> #0 (cpu_hotplug_lock){++++}-{0:0}: __lock_acquire+0x1298/0x1cd0 lock_acquire+0xc0/0x2b0 cpus_read_lock+0x2a/0xc0 static_key_slow_dec+0x16/0x60 __hugetlb_vmemmap_restore_folio+0x1b9/0x200 dissolve_free_huge_page+0x211/0x260 __page_handle_poison+0x45/0xc0 memory_failure+0x65e/0xc70 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xca/0x1e0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(pcp_batch_high_lock); lock(cpu_hotplug_lock); lock(pcp_batch_high_lock); rlock(cpu_hotplug_lock); *** DEADLOCK *** 5 locks held by bash/46904: #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0 #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0 #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1

Affected

23 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 6.1.90-1 (bookworm)linux 6.1.90-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
linuxlinux
linuxlinux>= a6b40850c442bf996e729e1d441d3dbc37cea171 < 5ef7ba2799a3b5ed292b8f6407376e2c25ef002e5ef7ba2799a3b5ed292b8f6407376e2c25ef002e
linuxlinux>= a6b40850c442bf996e729e1d441d3dbc37cea171 < 882e1180c83f5b75bae03d0ccc31ccedfe5159de882e1180c83f5b75bae03d0ccc31ccedfe5159de
linuxlinux>= a6b40850c442bf996e729e1d441d3dbc37cea171 < 49955b24002dc16a0ae2e83a57a2a6c863a1845c49955b24002dc16a0ae2e83a57a2a6c863a1845c
linuxlinux>= a6b40850c442bf996e729e1d441d3dbc37cea171 < 1983184c22dd84a4d95a71e5c6775c2638557dc71983184c22dd84a4d95a71e5c6775c2638557dc7
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.1.90-16.1.90-1
linuxlinux_kernel>= 0 < 6.8.9-16.8.9-1
linuxlinux_kernel>= 0 < 6.8.9-16.8.9-1
linuxlinux_kernel>= 0 < 6.8.0-38.386.8.0-38.38
linuxlinux_kernel>= 5.18 < 6.1.886.1.88
linuxlinux_kernel>= 6.2 < 6.6.296.6.29
linuxlinux_kernel>= 6.7 < 6.8.86.8.8
msrcazl3_hyperv-daemons_6.6.22.1-2_on_azure_linux_3.0
msrcazl3_hyperv-daemons_6.6.35.1-1_on_azure_linux_3.0
msrcazl3_kernel_6.6.22.1-2_on_azure_linux_3.0
msrcazl3_kernel_6.6.35.1-5_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64

Detection & IOCsextracted from sources · hover to see the quote

  • Deadlock condition is triggered via the hard_offline_page_store sysfs write path when hugetlb_optimize_vmemmap is enabled; monitor for kernel WARNING messages indicating circular locking dependency between pcp_batch_high_lock and cpu_hotplug_lock
  • The deadlock call chain to watch for in kernel stack traces: hard_offline_page_store -> memory_failure -> __page_handle_poison -> dissolve_free_huge_page -> __hugetlb_vmemmap_restore_folio -> static_key_slow_dec -> cpus_read_lock (acquiring cpu_hotplug_lock while pcp_batch_high_lock is held)
  • Look for kernel crash/hang events with 5 locks held by a process (sb_writers, of->mutex, kn->active, mf_mutex, pcp_batch_high_lock) as a signature of this deadlock scenario
  • ·Vulnerability only manifests when the hugetlb_optimize_vmemmap kernel feature is enabled; systems without this feature active are not affected by this deadlock
  • ·Red Hat Enterprise Linux 8 is not affected; RHEL 9 kernel-rt is affected and addressed via RHSA-2024:9315
  • ·Debian fixed versions: bookworm fixed in 6.1.90-1, forky/sid/trixie fixed in 6.8.9-1; systems running kernel versions prior to these are vulnerable when hugetlb_optimize_vmemmap is active

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.8MEDIUM
vulncheck5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.