CVE-2022-48658

Commit 5a836bf6b09f ("mm: slub: move flushcpuslab() invocations freeslab() invocations out of IRQ context") moved all flushcpuslab() invocations to the global workqueue to avoid a problem related with deactivateslab()/freeslab() being called from an IRQ context on PREEMPTRT kernels.

When the flushallcpulocked() function is called from a task context it may happen that a workqueue with WQMEM_RECLAIM bit set ends up flushing the global workqueue, this will cause a dependency issue.

workqueue: WQMEMRECLAIM nvme-delete-wq:nvmedeletectrlwork [nvmecore] is flushing !WQMEMRECLAIM events:flushcpuslab WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637 checkflushdependency+0x10a/0x120 Workqueue: nvme-delete-wq nvmedeletectrlwork [nvmecore] RIP: 0010:checkflushdependency+0x10a/0x120[ 453.262125] Call Trace: _flushwork.isra.0+0xbf/0x220 ? _queuework+0x1dc/0x420 flushallcpuslocked+0xfb/0x120 _kmemcacheshutdown+0x2b/0x320 kmemcachedestroy+0x49/0x100 biosetexit+0x143/0x190 blkreleasequeue+0xb9/0x100 kobjectcleanup+0x37/0x130 nvmefcctrlfree+0xc6/0x150 [nvmefc] nvmefreectrl+0x1ac/0x2b0 [nvme_core]

Fix this bug by creating a workqueue for the flush operation with the WQMEMRECLAIM bit set.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48658.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5a836bf6b09f99ead1b69457ff39ab3011ece57b

Fixed

61703b248be993eb4997b00ae5d3318e6d8f3c5b

Fixed

df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a

Fixed

e45cc288724f0cfd497bb5920bcfa60caa335729

Affected versions

v5.*

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.53

v5.15.54

v5.15.55

v5.15.56

v5.15.57

v5.15.58

v5.15.59

v5.15.6

v5.15.60

v5.15.61

v5.15.62

v5.15.63

v5.15.64

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.7

v5.15.70

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.19.1

v5.19.10

v5.19.11

v5.19.2

v5.19.3

v5.19.4

v5.19.5

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v6.*

v6.0-rc1

v6.0-rc2

Database specific

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "250382171308800824080726518065099333706",
                "333763053365780776552483567709413511368",
                "170747052252694705551059237828894267341",
                "99499583704414981458827291034119215822",
                "178804029249720339835687356151012375199",
                "268326903485970762318815958582025440970",
                "146608216884342844463727609653006817472",
                "52454041172996786681917457486076416447",
                "71110407748499326351911455128710240440",
                "134121158576941512602948640909564362568",
                "184458165097729329433236209088862073825"
            ]
        },
        "id": "CVE-2022-48658-039c0fa6",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@61703b248be993eb4997b00ae5d3318e6d8f3c5b",
        "target": {
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "length": 28.0,
            "function_hash": "243241260315654151173211410925035820757"
        },
        "id": "CVE-2022-48658-4b009df9",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@61703b248be993eb4997b00ae5d3318e6d8f3c5b",
        "target": {
            "function": "kmem_cache_init_late",
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "250382171308800824080726518065099333706",
                "333763053365780776552483567709413511368",
                "170747052252694705551059237828894267341",
                "99499583704414981458827291034119215822",
                "178804029249720339835687356151012375199",
                "268326903485970762318815958582025440970",
                "146608216884342844463727609653006817472",
                "52454041172996786681917457486076416447",
                "71110407748499326351911455128710240440",
                "134121158576941512602948640909564362568",
                "184458165097729329433236209088862073825"
            ]
        },
        "id": "CVE-2022-48658-7454325e",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a",
        "target": {
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "length": 28.0,
            "function_hash": "243241260315654151173211410925035820757"
        },
        "id": "CVE-2022-48658-bc27f1ca",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a",
        "target": {
            "function": "kmem_cache_init_late",
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "length": 548.0,
            "function_hash": "19966484360713691985485587976390776385"
        },
        "id": "CVE-2022-48658-bfbbe262",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@61703b248be993eb4997b00ae5d3318e6d8f3c5b",
        "target": {
            "function": "flush_all_cpus_locked",
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "length": 548.0,
            "function_hash": "19966484360713691985485587976390776385"
        },
        "id": "CVE-2022-48658-f33854d5",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a",
        "target": {
            "function": "flush_all_cpus_locked",
            "file": "mm/slub.c"
        },
        "signature_version": "v1",
        "deprecated": false
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48658.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

5.15.71

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.19.12

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48658.json"