{"id":"CVE-2024-39298","summary":"mm/memory-failure: fix handling of dissolved but not taken off from buddy pages","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS:  00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \u003c/TASK\u003e\nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types  pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \u003c/TASK\u003e\n\nThe root cause should be the below race:\n\n memory_failure\n  try_memory_failure_hugetlb\n   me_huge_page\n    __page_handle_poison\n     dissolve_free_hugetlb_folio\n     drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n     take_page_off_buddy -- Failed as page is not in the \n---truncated---","modified":"2026-04-02T12:16:58.068278Z","published":"2024-06-25T14:22:40.887Z","related":["MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39298.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39298.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39298"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ceaf8fbea79a854373b9fc03c9fde98eb8712725"},{"fixed":"00b0752c7f15dfdf129cacc6a27d61c54141182b"},{"fixed":"bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e"},{"fixed":"41cd2de3c95020b7f86a3cb5fab42fbf454a63bd"},{"fixed":"8cf360b9d6a840700e06864236a01a883b34bbad"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39298.json"}}],"schema_version":"1.7.5"}