CVE-2024-50140
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50140
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50140.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50140
- Downstream
- Related
- Published
- 2024-11-07T09:31:17.379Z
- Modified
- 2025-11-16T06:39:04.027169Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- sched/core: Disable page allocation in task_tick_mm_cid()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Disable page allocation in tasktickmm_cid()
With KASAN and PREEMPTRT enabled, calling taskworkadd() in tasktickmmcid() may cause the following splat.
[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlockrt.c:48 [ 63.696416] inatomic(): 1, irqsdisabled(): 1, nonblock: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, expected: 0 [ 63.696416] RCU nest depth: 1, expected: 1
This problem is caused by the following call trace.
schedtick() [ acquire rq->lock ] -> tasktickmmcid() -> taskworkadd() -> _kasanrecordauxstack() -> kasansavestack() -> stackdepotsaveflags() -> allocpagesmpolnoprof() -> _allocpagesnoprof() -> getpagefromfreelist() -> rmqueue() -> rmqueuepcplist() -> _rmqueuepcplist() -> rmqueuebulk() -> rtspinlock()
The rq lock is a rawspinlockt. We can't sleep while holding it. IOW, we can't call allocpages() in stackdepotsaveflags().
The tasktickmmcid() function with its taskworkadd() call was introduced by commit 223baf9d17f2 ("sched: Fix performance regression introduced by mmcid") in v6.4 kernel.
Fortunately, there is a kasanrecordauxstacknoalloc() variant that calls stackdepotsaveflags() while not allowing it to allocate new pages. To allow tasktickmmcid() to use taskwork without page allocation, a new TWAFNOALLOC flag is added to enable calling kasanrecordauxstacknoalloc() instead of kasanrecordauxstack() if set. The tasktickmm_cid() function is modified to add this new flag.
The possible downside is the missing stack trace in a KASAN report due to new page allocation required when taskworkadd_noallloc() is called which should be rare.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced223baf9d17f25e2608dbdff7232c095c1e612268Fixed509c29d0d26f68a6f6d0a05cb1a89725237e2b87
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced223baf9d17f25e2608dbdff7232c095c1e612268Fixedce0241ef83eed55f675376e8a3605d23de53d875
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced223baf9d17f25e2608dbdff7232c095c1e612268Fixed73ab05aa46b02d96509cb029a8d04fca7bbde8c7
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.12-rc1
v6.3
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"277259022160822223012449343992373520635",
"225702684753878854702430266950882881325",
"22963096831536171350588800684463490161",
"152363577690837480209230008081149893376",
"12246545270403063092223915457010157270",
"122901389996699392320409970626473627126",
"229274783175622076848989693155865352088",
"86425331960893415417175488870261825943",
"168589257202432961606689354369460519286"
]
},
"id": "CVE-2024-50140-0a46e8b2",
"target": {
"file": "kernel/task_work.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"297103916945780559057478268692296919527",
"22896904306929451985438265270936919257",
"5768649236373180103234837412894169337",
"309165278444463610374545732109284748133"
]
},
"id": "CVE-2024-50140-1fd3490b",
"target": {
"file": "kernel/sched/core.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"277259022160822223012449343992373520635",
"225702684753878854702430266950882881325",
"22963096831536171350588800684463490161",
"152363577690837480209230008081149893376",
"161657252128678899688733593641313404272",
"84253894985741049223142473326516640321",
"10548822295591465367809695468524610941",
"98257171008743572607353874445472436276",
"229274783175622076848989693155865352088",
"86425331960893415417175488870261825943",
"168589257202432961606689354369460519286"
]
},
"id": "CVE-2024-50140-38a095bc",
"target": {
"file": "kernel/task_work.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 343.0,
"function_hash": "315540213609342928623956255473132387050"
},
"id": "CVE-2024-50140-45885b0c",
"target": {
"file": "kernel/sched/core.c",
"function": "task_tick_mm_cid"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"72985288841969875178899947037785331446",
"73469087417854634460185148547781337412",
"330792423574256753579761690168590056186",
"321568204561702068434323066059435933152",
"130759770694080032623550883182377743965",
"19976096688923318700410509089271753672",
"283102687181482823860361619307176421654",
"319236246247934167479779285678606200250"
]
},
"id": "CVE-2024-50140-467c6809",
"target": {
"file": "include/linux/task_work.h"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ce0241ef83eed55f675376e8a3605d23de53d875",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 802.0,
"function_hash": "146347733533734731959938894841514121457"
},
"id": "CVE-2024-50140-4d255e3d",
"target": {
"file": "kernel/task_work.c",
"function": "task_work_add"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ce0241ef83eed55f675376e8a3605d23de53d875",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"277259022160822223012449343992373520635",
"225702684753878854702430266950882881325",
"22963096831536171350588800684463490161",
"152363577690837480209230008081149893376",
"161657252128678899688733593641313404272",
"84253894985741049223142473326516640321",
"10548822295591465367809695468524610941",
"98257171008743572607353874445472436276",
"229274783175622076848989693155865352088",
"86425331960893415417175488870261825943",
"168589257202432961606689354369460519286"
]
},
"id": "CVE-2024-50140-5a94b554",
"target": {
"file": "kernel/task_work.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ce0241ef83eed55f675376e8a3605d23de53d875",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"72985288841969875178899947037785331446",
"73469087417854634460185148547781337412",
"330792423574256753579761690168590056186",
"321568204561702068434323066059435933152",
"130759770694080032623550883182377743965",
"19976096688923318700410509089271753672",
"283102687181482823860361619307176421654",
"319236246247934167479779285678606200250"
]
},
"id": "CVE-2024-50140-84273d67",
"target": {
"file": "include/linux/task_work.h"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 343.0,
"function_hash": "315540213609342928623956255473132387050"
},
"id": "CVE-2024-50140-8f220fe7",
"target": {
"file": "kernel/sched/core.c",
"function": "task_tick_mm_cid"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 802.0,
"function_hash": "146347733533734731959938894841514121457"
},
"id": "CVE-2024-50140-b2f60945",
"target": {
"file": "kernel/task_work.c",
"function": "task_work_add"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"297103916945780559057478268692296919527",
"22896904306929451985438265270936919257",
"5768649236373180103234837412894169337",
"309165278444463610374545732109284748133"
]
},
"id": "CVE-2024-50140-bfb278bb",
"target": {
"file": "kernel/sched/core.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ce0241ef83eed55f675376e8a3605d23de53d875",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"297103916945780559057478268692296919527",
"22896904306929451985438265270936919257",
"5768649236373180103234837412894169337",
"309165278444463610374545732109284748133"
]
},
"id": "CVE-2024-50140-ce3e2189",
"target": {
"file": "kernel/sched/core.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 714.0,
"function_hash": "227038446076355289955163757777817421377"
},
"id": "CVE-2024-50140-e01512fd",
"target": {
"file": "kernel/task_work.c",
"function": "task_work_add"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@509c29d0d26f68a6f6d0a05cb1a89725237e2b87",
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"72985288841969875178899947037785331446",
"73469087417854634460185148547781337412",
"330792423574256753579761690168590056186",
"321568204561702068434323066059435933152",
"130759770694080032623550883182377743965",
"19976096688923318700410509089271753672",
"283102687181482823860361619307176421654",
"319236246247934167479779285678606200250"
]
},
"id": "CVE-2024-50140-e50e4db7",
"target": {
"file": "include/linux/task_work.h"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@73ab05aa46b02d96509cb029a8d04fca7bbde8c7",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 343.0,
"function_hash": "315540213609342928623956255473132387050"
},
"id": "CVE-2024-50140-f3b4b135",
"target": {
"file": "kernel/sched/core.c",
"function": "task_tick_mm_cid"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ce0241ef83eed55f675376e8a3605d23de53d875",
"deprecated": false
}
]