CVE-2024-50082

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race<br /> <br /> We&amp;#39;re seeing crashes from rq_qos_wake_function that look like this:<br /> <br /> BUG: unable to handle page fault for address: ffffafe180a40084<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0<br /> Oops: Oops: 0002 [#1] PREEMPT SMP PTI<br /> CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40<br /> Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00<br /> RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046<br /> RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011<br /> RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084<br /> RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011<br /> R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002<br /> R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003<br /> FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> try_to_wake_up+0x5a/0x6a0<br /> rq_qos_wake_function+0x71/0x80<br /> __wake_up_common+0x75/0xa0<br /> __wake_up+0x36/0x60<br /> scale_up.part.0+0x50/0x110<br /> wb_timer_fn+0x227/0x450<br /> ...<br /> <br /> So rq_qos_wake_function() calls wake_up_process(data-&gt;task), which calls<br /> try_to_wake_up(), which faults in raw_spin_lock_irqsave(&amp;p-&gt;pi_lock).<br /> <br /> p comes from data-&gt;task, and data comes from the waitqueue entry, which<br /> is stored on the waiter&amp;#39;s stack in rq_qos_wait(). Analyzing the core<br /> dump with drgn, I found that the waiter had already woken up and moved<br /> on to a completely unrelated code path, clobbering what was previously<br /> data-&gt;task. Meanwhile, the waker was passing the clobbered garbage in<br /> data-&gt;task to wake_up_process(), leading to the crash.<br /> <br /> What&amp;#39;s happening is that in between rq_qos_wake_function() deleting the<br /> waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding<br /> that it already got a token and returning. The race looks like this:<br /> <br /> rq_qos_wait() rq_qos_wake_function()<br /> ==============================================================<br /> prepare_to_wait_exclusive()<br /> data-&gt;got_token = true;<br /> list_del_init(&amp;curr-&gt;entry);<br /> if (data.got_token)<br /> break;<br /> finish_wait(&amp;rqw-&gt;wait, &amp;data.wq);<br /> ^- returns immediately because<br /> list_empty_careful(&amp;wq_entry-&gt;entry)<br /> is true<br /> ... return, go do something else ...<br /> wake_up_process(data-&gt;task)<br /> (NO LONGER VALID!)-^<br /> <br /> Normally, finish_wait() is supposed to synchronize against the waker.<br /> But, as noted above, it is returning immediately because the waitqueue<br /> entry has already been removed from the waitqueue.<br /> <br /> The bug is that rq_qos_wake_function() is accessing the waitqueue entry<br /> AFTER deleting it. Note that autoremove_wake_function() wakes the waiter<br /> and THEN deletes the waitqueue entry, which is the proper order.<br /> <br /> Fix it by swapping the order. We also need to use<br /> list_del_init_careful() to match the list_empty_careful() in<br /> finish_wait().