Bug 2324865 (CVE-2024-50219)

Summary: CVE-2024-50219 kernel: mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A vulnerability in the Linux kernel's memory management (mm/page_alloc) has been identified, where GFP_ATOMIC order-0 allocations could fail under memory pressure, despite available highatomic reserves. This issue caused packet loss in high-performance networking environments, as observed on Cloudflare's fleet. An attacker could theoretically exploit this by inducing high memory contention, potentially impacting real-time operations. However, since the fix ensures proper fallback behavior without introducing a security risk, the issue has been rejected as a CVE.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2325086    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-09 11:02:03 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves

Under memory pressure it's possible for GFP_ATOMIC order-0 allocations to
fail even though free pages are available in the highatomic reserves. 
GFP_ATOMIC allocations cannot trigger unreserve_highatomic_pageblock()
since it's only run from reclaim.

Given that such allocations will pass the watermarks in
__zone_watermark_unusable_free(), it makes sense to fallback to highatomic
reserves the same way that ALLOC_OOM can.

This fixes order-0 page allocation failures observed on Cloudflare's fleet
when handling network packets:

  kswapd1: page allocation failure: order:0, mode:0x820(GFP_ATOMIC),
  nodemask=(null),cpuset=/,mems_allowed=0-7
  CPU: 10 PID: 696 Comm: kswapd1 Kdump: loaded Tainted: G           O 6.6.43-CUSTOM #1
  Hardware name: MACHINE
  Call Trace:
   <IRQ>
   dump_stack_lvl+0x3c/0x50
   warn_alloc+0x13a/0x1c0
   __alloc_pages_slowpath.constprop.0+0xc9d/0xd10
   __alloc_pages+0x327/0x340
   __napi_alloc_skb+0x16d/0x1f0
   bnxt_rx_page_skb+0x96/0x1b0 [bnxt_en]
   bnxt_rx_pkt+0x201/0x15e0 [bnxt_en]
   __bnxt_poll_work+0x156/0x2b0 [bnxt_en]
   bnxt_poll+0xd9/0x1c0 [bnxt_en]
   __napi_poll+0x2b/0x1b0
   bpf_trampoline_6442524138+0x7d/0x1000
   __napi_poll+0x5/0x1b0
   net_rx_action+0x342/0x740
   handle_softirqs+0xcf/0x2b0
   irq_exit_rcu+0x6c/0x90
   sysvec_apic_timer_interrupt+0x72/0x90
   </IRQ>

[mfleming: update comment]
  Link: https://lkml.kernel.org/r/20241015125158.3597702-1-matt@readmodwrite.com
Comment 1 Avinash Hanwate 2024-11-11 04:50:13 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024110925-CVE-2024-50219-c970@gregkh/T
Comment 2 TEJ RATHI 2025-02-24 11:00:18 UTC 
This CVE has been rejected upstream:
https://lore.kernel.org/linux-cve-announce/2024111115-REJECTED-9c6e@gregkh/
Comment 3 errata-xmlrpc 2025-05-13 08:34:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:6966 https://access.redhat.com/errata/RHSA-2025:6966