{"id":"CVE-2024-26989","summary":"arm64: hibernate: Fix level3 translation fault in swsusp_save()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n  Unable to handle kernel paging request at virtual address ffffff8000000000\n  Mem abort info:\n    ESR = 0x0000000096000007\n    EC = 0x25: DABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n    FSC = 0x07: level 3 translation fault\n  Data abort info:\n    ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n    CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n  swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n  [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n  Internal error: Oops: 0000000096000007 [#1] SMP\n  Internal error: Oops: 0000000096000007 [#1] SMP\n  Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n  CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n  Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n  Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n  pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : swsusp_save+0x280/0x538\n  lr : swsusp_save+0x280/0x538\n  sp : ffffffa034a3fa40\n  x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n  x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n  x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n  x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n  x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n  x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n  x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n  x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n  x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n  x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n  Call trace:\n   swsusp_save+0x280/0x538\n   swsusp_arch_suspend+0x148/0x190\n   hibernation_snapshot+0x240/0x39c\n   hibernate+0xc4/0x378\n   state_store+0xf0/0x10c\n   kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -\u003e copy_data_pages() -\u003e page_is_saveable()\n-\u003e kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]","modified":"2026-04-02T10:06:39.733935Z","published":"2024-05-01T05:27:44.067Z","related":["MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2024:2008-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26989.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457"},{"type":"WEB","url":"https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26989.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26989"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a7d9f306ba7052056edf9ccae596aeb400226af8"},{"fixed":"813f5213f2c612dc800054859aaa396ec8ad7069"},{"fixed":"f7e71a7cf399f53ff9fc314ca3836dc913b05bd6"},{"fixed":"31f815cb436082e72d34ed2e8a182140a73ebdf4"},{"fixed":"022b19ebc31cce369c407617041a3db810db23b3"},{"fixed":"50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26989.json"}}],"schema_version":"1.7.5"}