CVE-2024-53160

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53160
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53160.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53160
Downstream
Related
Published
2024-12-24T11:29:00Z
Modified
2025-10-17T17:33:50.723810Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu
Details

In the Linux kernel, the following vulnerability has been resolved:

rcu/kvfree: Fix data-race in _modtimer / kvfreecallrcu

KCSAN reports a data race when access the krcp->monitorwork.timer.expires variable in the scheduledelayedmonitorwork() function:

<snip> BUG: KCSAN: data-race in _modtimer / kvfreecallrcu

read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1: scheduledelayedmonitorwork kernel/rcu/tree.c:3520 [inline] kvfreecallrcu+0x3b8/0x510 kernel/rcu/tree.c:3839 trieupdateelem+0x47c/0x620 kernel/bpf/lpmtrie.c:441 bpfmapupdatevalue+0x324/0x350 kernel/bpf/syscall.c:203 genericmapupdatebatch+0x401/0x520 kernel/bpf/syscall.c:1849 bpfmapdobatch+0x28c/0x3f0 kernel/bpf/syscall.c:5143 _sysbpf+0x2e5/0x7a0 _dosysbpf kernel/bpf/syscall.c:5741 [inline] _sesysbpf kernel/bpf/syscall.c:5739 [inline] _x64sysbpf+0x43/0x50 kernel/bpf/syscall.c:5739 x64syscall+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls64.h:322 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xc9/0x1c0 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0: _modtimer+0x578/0x7f0 kernel/time/timer.c:1173 addtimerglobal+0x51/0x70 kernel/time/timer.c:1330 _queuedelayedwork+0x127/0x1a0 kernel/workqueue.c:2523 queuedelayedworkon+0xdf/0x190 kernel/workqueue.c:2552 queuedelayedwork include/linux/workqueue.h:677 [inline] scheduledelayedmonitorwork kernel/rcu/tree.c:3525 [inline] kfreercumonitor+0x5e8/0x660 kernel/rcu/tree.c:3643 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0x483/0x9a0 kernel/workqueue.c:3310 workerthread+0x51d/0x6f0 kernel/workqueue.c:3391 kthread+0x1d1/0x210 kernel/kthread.c:389 retfromfork+0x4b/0x60 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244

Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: eventsunbound kfreercu_monitor <snip>

kfreercumonitor() rearms the work if a "krcp" has to be still offloaded and this is done without holding krcp->lock, whereas the kvfreecallrcu() holds it.

Fix it by acquiring the "krcp->lock" for kfreercumonitor() so both functions do not race anymore.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8fc5494ad5face62747a3937db66b00db1e5d80b
Fixed
967a0e61910825d1fad009d836a6cb41f7402395
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8fc5494ad5face62747a3937db66b00db1e5d80b
Fixed
05b8ea1f16667f07c8e5843fb4bde3e49d49ead8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8fc5494ad5face62747a3937db66b00db1e5d80b
Fixed
5ced426d97ce84299ecfcc7bd8b38f975fd11089
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8fc5494ad5face62747a3937db66b00db1e5d80b
Fixed
a23da88c6c80e41e0503e0b481a22c9eea63f263

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.10
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.2
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-53160-3ff9f0b5",
        "target": {
            "file": "kernel/rcu/tree.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "141894017335897843415369001308393281223",
                "221480073951633952059607043975346487363",
                "241564388278180638625850269457728695371",
                "233820628753855134852125540000035395615",
                "335758379625711869603593776336608836469",
                "182075666081627606132364223733187298974",
                "335530977699689495716505882470979344323",
                "202295538701269550965891199178058798877",
                "256248980767719777517043485959158496562",
                "149973340317197179854572649480743173364",
                "19381055888836101722789316863545763218"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@967a0e61910825d1fad009d836a6cb41f7402395"
    },
    {
        "id": "CVE-2024-53160-729cc67a",
        "target": {
            "file": "kernel/rcu/tree.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "141894017335897843415369001308393281223",
                "221480073951633952059607043975346487363",
                "241564388278180638625850269457728695371",
                "233820628753855134852125540000035395615",
                "115962683584132091459617063963237298773",
                "24220924652689929285098501306410682368",
                "335530977699689495716505882470979344323",
                "202295538701269550965891199178058798877",
                "256248980767719777517043485959158496562",
                "149973340317197179854572649480743173364",
                "19381055888836101722789316863545763218"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ced426d97ce84299ecfcc7bd8b38f975fd11089"
    },
    {
        "id": "CVE-2024-53160-de87bbba",
        "target": {
            "file": "kernel/rcu/tree.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "141894017335897843415369001308393281223",
                "221480073951633952059607043975346487363",
                "241564388278180638625850269457728695371",
                "233820628753855134852125540000035395615",
                "335758379625711869603593776336608836469",
                "182075666081627606132364223733187298974",
                "335530977699689495716505882470979344323",
                "202295538701269550965891199178058798877",
                "256248980767719777517043485959158496562",
                "149973340317197179854572649480743173364",
                "19381055888836101722789316863545763218"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05b8ea1f16667f07c8e5843fb4bde3e49d49ead8"
    },
    {
        "id": "CVE-2024-53160-e1f786f2",
        "target": {
            "file": "kernel/rcu/tree.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "141894017335897843415369001308393281223",
                "221480073951633952059607043975346487363",
                "241564388278180638625850269457728695371",
                "233820628753855134852125540000035395615",
                "115962683584132091459617063963237298773",
                "24220924652689929285098501306410682368",
                "335530977699689495716505882470979344323",
                "202295538701269550965891199178058798877",
                "256248980767719777517043485959158496562",
                "149973340317197179854572649480743173364",
                "19381055888836101722789316863545763218"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a23da88c6c80e41e0503e0b481a22c9eea63f263"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.6.64
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.11
Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.2