In the Linux kernel, the following vulnerability has been resolved:
riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context
__kernel_map_pages() is a debug function which clears the valid bit in page
table entry for deallocated pages to detect illegal memory accesses to
freed pages.
This function set/clear the valid bit using __set_memory(). __set_memory()
acquires init_mm's semaphore, and this operation may sleep. This is
problematic, because __kernel_map_pages() can be called in atomic context,
and thus is illegal to sleep. An example warning that this causes:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd
preempt_count: 2, expected: 0
CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[] dump_backtrace+0x1c/0x24
[] show_stack+0x2c/0x38
[] dump_stack_lvl+0x5a/0x72
[] dump_stack+0x14/0x1c
[] __might_resched+0x104/0x10e
[] __might_sleep+0x3e/0x62
[] down_write+0x20/0x72
[] __set_memory+0x82/0x2fa
[] __kernel_map_pages+0x5a/0xd4
[] __alloc_pages_bulk+0x3b2/0x43a
[] __vmalloc_node_range+0x196/0x6ba
[] copy_process+0x72c/0x17ec
[] kernel_clone+0x60/0x2fe
[] kernel_thread+0x82/0xa0
[] kthreadd+0x14a/0x1be
[] ret_from_fork+0xe/0x1c
Rewrite this function with apply_to_existing_page_range(). It is fine to
not have any locking, because __kernel_map_pages() works with pages being
allocated/deallocated and those pages are not changed by anyone else in the
meantime.
References
In the Linux kernel, the following vulnerability has been resolved:
riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context
__kernel_map_pages() is a debug function which clears the valid bit in page
table entry for deallocated pages to detect illegal memory accesses to
freed pages.
This function set/clear the valid bit using __set_memory(). __set_memory()
acquires init_mm's semaphore, and this operation may sleep. This is
problematic, because __kernel_map_pages() can be called in atomic context,
and thus is illegal to sleep. An example warning that this causes:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd
preempt_count: 2, expected: 0
CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[] dump_backtrace+0x1c/0x24
[] show_stack+0x2c/0x38
[] dump_stack_lvl+0x5a/0x72
[] dump_stack+0x14/0x1c
[] __might_resched+0x104/0x10e
[] __might_sleep+0x3e/0x62
[] down_write+0x20/0x72
[] __set_memory+0x82/0x2fa
[] __kernel_map_pages+0x5a/0xd4
[] __alloc_pages_bulk+0x3b2/0x43a
[] __vmalloc_node_range+0x196/0x6ba
[] copy_process+0x72c/0x17ec
[] kernel_clone+0x60/0x2fe
[] kernel_thread+0x82/0xa0
[] kthreadd+0x14a/0x1be
[] ret_from_fork+0xe/0x1c
Rewrite this function with apply_to_existing_page_range(). It is fine to
not have any locking, because __kernel_map_pages() works with pages being
allocated/deallocated and those pages are not changed by anyone else in the
meantime.
References