{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56673","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T15:00:39.845Z","datePublished":"2024-12-27T15:06:34.280Z","dateUpdated":"2025-10-01T20:07:08.957Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:01:50.091Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n  | tools/testing/selftests/mm# ./test_hmm.sh smoke\n  | ... # when unloading the test_hmm.ko module\n  | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n  | flags: 0x1000000000000000(node=0|zone=1)\n  | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n  | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n  | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n  | ------------[ cut here ]------------\n  | kernel BUG at include/linux/mm.h:3080!\n  | Kernel BUG [#1]\n  | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n  | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G        W          6.12.0-00982-gf2a4f1682d07 #2\n  | Tainted: [W]=WARN\n  | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n  | epc : remove_pgd_mapping+0xbec/0x1070\n  |  ra : remove_pgd_mapping+0xbec/0x1070\n  | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n  |  gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n  |  t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n  |  s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n  |  a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n  |  a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n  |  s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n  |  s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n  |  s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n  |  s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n  |  t5 : ff60000080244000 t6 : ff20000000a73708\n  | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n  | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070\n  | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e\n  | [<ffffffff8032e698>] section_deactivate+0x220/0x452\n  | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58\n  | [<ffffffff802f8700>] __remove_pages+0x7e/0xba\n  | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe\n  | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n  | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n  | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6\n  | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266\n  | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2\n  | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n  | ---[ end trace 0000000000000000 ]---\n  | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/mm/init.c"],"versions":[{"version":"c75a74f4ba19c904c0ae1e011ae2568449409ae4","lessThan":"344945806f2f7af68be98bac02836c867f223aa9","status":"affected","versionType":"git"},{"version":"c75a74f4ba19c904c0ae1e011ae2568449409ae4","lessThan":"21f1b85c8912262adf51707e63614a114425eb10","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/riscv/mm/init.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"6.12.6","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9"},{"url":"https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10"}],"title":"riscv: mm: Do not call pmd dtor on vmemmap page table teardown","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56673","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:59:31.187588Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-noinfo Not enough information"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T20:07:08.957Z"}}]}}