1.5 KiB
CVE-2024-42316
Description
In the Linux kernel, the following vulnerability has been resolved:mm/mglru: fix div-by-zero in vmpressure_calc_level()evict_folios() uses a second pass to reclaim folios that have gone throughpage writeback and become clean before it finishes the first pass, sincefolio_rotate_reclaimable() cannot handle those folios due to theisolation.The second pass tries to avoid potential double counting by deductingscan_control->nr_scanned. However, this can result in underflow ofnr_scanned, under a condition where shrink_folio_list() does not incrementnr_scanned, i.e., when folio_trylock() fails.The underflow can cause the divisor, i.e., scale=scanned+reclaimed invmpressure_calc_level(), to become zero, resulting in the following crash: [exception RIP: vmpressure_work_fn+101] process_one_work at ffffffffa3313f2bSince scan_control->nr_scanned has no established semantics, the potentialdouble counting has minimal risks. Therefore, fix the problem by notdeducting scan_control->nr_scanned in evict_folios().
POC
Reference
No PoCs from references.