CVE-2024-49866
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
21/10/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tracing/timerlat: Fix a race during cpuhp processing<br />
<br />
There is another found exception that the "timerlat/1" thread was<br />
scheduled on CPU0, and lead to timer corruption finally:<br />
<br />
```<br />
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220<br />
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0<br />
Modules linked in:<br />
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br />
RIP: 0010:debug_print_object+0x7d/0xb0<br />
...<br />
Call Trace:<br />
<br />
? __warn+0x7c/0x110<br />
? debug_print_object+0x7d/0xb0<br />
? report_bug+0xf1/0x1d0<br />
? prb_read_valid+0x17/0x20<br />
? handle_bug+0x3f/0x70<br />
? exc_invalid_op+0x13/0x60<br />
? asm_exc_invalid_op+0x16/0x20<br />
? debug_print_object+0x7d/0xb0<br />
? debug_print_object+0x7d/0xb0<br />
? __pfx_timerlat_irq+0x10/0x10<br />
__debug_object_init+0x110/0x150<br />
hrtimer_init+0x1d/0x60<br />
timerlat_main+0xab/0x2d0<br />
? __pfx_timerlat_main+0x10/0x10<br />
kthread+0xb7/0xe0<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x2d/0x40<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
```<br />
<br />
After tracing the scheduling event, it was discovered that the migration<br />
of the "timerlat/1" thread was performed during thread creation. Further<br />
analysis confirmed that it is because the CPU online processing for<br />
osnoise is implemented through workers, which is asynchronous with the<br />
offline processing. When the worker was scheduled to create a thread, the<br />
CPU may has already been removed from the cpu_online_mask during the offline<br />
process, resulting in the inability to select the right CPU:<br />
<br />
T1 | T2<br />
[CPUHP_ONLINE] | cpu_device_down()<br />
osnoise_hotplug_workfn() |<br />
| cpus_write_lock()<br />
| takedown_cpu(1)<br />
| cpus_write_unlock()<br />
[CPUHP_OFFLINE] |<br />
cpus_read_lock() |<br />
start_kthread(1) |<br />
cpus_read_unlock() |<br />
<br />
To fix this, skip online processing if the CPU is already offline.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.14 (including) | 5.15.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.55 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/322920b53dc11f9c2b33397eb3ae5bc6a175b60d
- https://git.kernel.org/stable/c/829e0c9f0855f26b3ae830d17b24aec103f7e915
- https://git.kernel.org/stable/c/a0d9c0cd5856191e095cf43a2e141b73945b7716
- https://git.kernel.org/stable/c/a6e9849063a6c8f4cb2f652a437e44e3ed24356c
- https://git.kernel.org/stable/c/ce25f33ba89d6eefef64157655d318444580fa14
- https://git.kernel.org/stable/c/f72b451dc75578f644a3019c1489e9ae2c14e6c4
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html