CVE-2024-56610

Summary

In the Linux kernel, the following vulnerability has been resolved:

kcsan: Turn report_filterlist_lock into a raw_spinlock

Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like:

| BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ>

On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock non-raw spinlock which may sleep on RT kernels.

Since KCSAN may report data races in any context, convert it to a raw_spinlock.

This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4daffected
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < ea6588abcc15d68fdeae777ffe3dd74c02eab407affected
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < 0ab4951c1473c7d1ceaf1232eb927109cd1c4859affected
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < dca4e74a918586913d251c0b359e8cc96a3883eaaffected
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < 889a0d3a35fdedba1c5dcb6410c95c32421680ecaffected
LinuxLinuxdfd402a4c4baae42398ce9180ff424d589b8bffc < 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0affected
LinuxLinux5.8affected
LinuxLinux0 < 5.8unaffected
LinuxLinux5.10.231 <= 5.10.*unaffected
LinuxLinux5.15.174 <= 5.15.*unaffected
LinuxLinux6.1.120 <= 6.1.*unaffected
LinuxLinux6.6.66 <= 6.6.*unaffected
LinuxLinux6.12.5 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References