cve/published/2024/CVE-2024-53160.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53160: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

 KCSAN reports a data race when access the krcp->monitor_work.timer.expires
 variable in the schedule_delayed_monitor_work() function:

 <snip>
 BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu

 read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1:
  schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline]
  kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839
  trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441
  bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203
  generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849
  bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143
  __sys_bpf+0x2e5/0x7a0
  __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
  __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739
  x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0:
  __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173
  add_timer_global+0x51/0x70 kernel/time/timer.c:1330
  __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523
  queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552
  queue_delayed_work include/linux/workqueue.h:677 [inline]
  schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline]
  kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643
  process_one_work kernel/workqueue.c:3229 [inline]
  process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310
  worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391
  kthread+0x1d1/0x210 kernel/kthread.c:389
  ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 Workqueue: events_unbound kfree_rcu_monitor
 <snip>

 kfree_rcu_monitor() rearms the work if a "krcp" has to be still
 offloaded and this is done without holding krcp->lock, whereas
 the kvfree_call_rcu() holds it.

 Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so
 both functions do not race anymore.

 The Linux kernel CVE team has assigned CVE-2024-53160 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.6.64 with commit 967a0e61910825d1fad009d836a6cb41f7402395
 	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.11.11 with commit 05b8ea1f16667f07c8e5843fb4bde3e49d49ead8
 	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.12.2 with commit 5ced426d97ce84299ecfcc7bd8b38f975fd11089
 	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.13 with commit a23da88c6c80e41e0503e0b481a22c9eea63f263

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53160
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/rcu/tree.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/967a0e61910825d1fad009d836a6cb41f7402395
 	https://git.kernel.org/stable/c/05b8ea1f16667f07c8e5843fb4bde3e49d49ead8
 	https://git.kernel.org/stable/c/5ced426d97ce84299ecfcc7bd8b38f975fd11089
 	https://git.kernel.org/stable/c/a23da88c6c80e41e0503e0b481a22c9eea63f263
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53160: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

	KCSAN reports a data race when access the krcp->monitor_work.timer.expires
	variable in the schedule_delayed_monitor_work() function:

	<snip>
	BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu

	read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1:
	schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline]
	kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839
	trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441
	bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203
	generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849
	bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143
	__sys_bpf+0x2e5/0x7a0
	__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
	__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739
	x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0:
	__mod_timer+0x578/0x7f0 kernel/time/timer.c:1173
	add_timer_global+0x51/0x70 kernel/time/timer.c:1330
	__queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523
	queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552
	queue_delayed_work include/linux/workqueue.h:677 [inline]
	schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline]
	kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643
	process_one_work kernel/workqueue.c:3229 [inline]
	process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310
	worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391
	kthread+0x1d1/0x210 kernel/kthread.c:389
	ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	Reported by Kernel Concurrency Sanitizer on:
	CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	Workqueue: events_unbound kfree_rcu_monitor
	<snip>

	kfree_rcu_monitor() rearms the work if a "krcp" has to be still
	offloaded and this is done without holding krcp->lock, whereas
	the kvfree_call_rcu() holds it.

	Fix it by acquiring the "krcp->lock" for kfree_rcu_monitor() so
	both functions do not race anymore.

	The Linux kernel CVE team has assigned CVE-2024-53160 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.6.64 with commit 967a0e61910825d1fad009d836a6cb41f7402395
	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.11.11 with commit 05b8ea1f16667f07c8e5843fb4bde3e49d49ead8
	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.12.2 with commit 5ced426d97ce84299ecfcc7bd8b38f975fd11089
	Issue introduced in 6.3 with commit 8fc5494ad5face62747a3937db66b00db1e5d80b and fixed in 6.13 with commit a23da88c6c80e41e0503e0b481a22c9eea63f263

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53160
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/rcu/tree.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/967a0e61910825d1fad009d836a6cb41f7402395
	https://git.kernel.org/stable/c/05b8ea1f16667f07c8e5843fb4bde3e49d49ead8
	https://git.kernel.org/stable/c/5ced426d97ce84299ecfcc7bd8b38f975fd11089
	https://git.kernel.org/stable/c/a23da88c6c80e41e0503e0b481a22c9eea63f263