CVE-2024-50140

[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlockrt.c:48 [ 63.696416] inatomic(): 1, irqsdisabled(): 1, nonblock: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, expected: 0 [ 63.696416] RCU nest depth: 1, expected: 1

This problem is caused by the following call trace.

schedtick() [ acquire rq->lock ] -> tasktickmmcid() -> taskworkadd() -> _kasanrecordauxstack() -> kasansavestack() -> stackdepotsaveflags() -> allocpagesmpolnoprof() -> _allocpagesnoprof() -> getpagefromfreelist() -> rmqueue() -> rmqueuepcplist() -> _rmqueuepcplist() -> rmqueuebulk() -> rtspinlock()

The rq lock is a rawspinlockt. We can't sleep while holding it. IOW, we can't call allocpages() in stackdepotsaveflags().

The tasktickmmcid() function with its taskworkadd() call was introduced by commit 223baf9d17f2 ("sched: Fix performance regression introduced by mmcid") in v6.4 kernel.

Fortunately, there is a kasanrecordauxstacknoalloc() variant that calls stackdepotsaveflags() while not allowing it to allocate new pages. To allow tasktickmmcid() to use taskwork without page allocation, a new TWAFNOALLOC flag is added to enable calling kasanrecordauxstacknoalloc() instead of kasanrecordauxstack() if set. The tasktickmm_cid() function is modified to add this new flag.

The possible downside is the missing stack trace in a KASAN report due to new page allocation required when taskworkadd_noallloc() is called which should be rare.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

223baf9d17f25e2608dbdff7232c095c1e612268

Fixed

509c29d0d26f68a6f6d0a05cb1a89725237e2b87

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

223baf9d17f25e2608dbdff7232c095c1e612268

Fixed

ce0241ef83eed55f675376e8a3605d23de53d875

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

223baf9d17f25e2608dbdff7232c095c1e612268

Fixed

73ab05aa46b02d96509cb029a8d04fca7bbde8c7

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.12-rc1

v6.3

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.59

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.11.6