CVE-2024-50140

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/core: Disable page allocation in task_tick_mm_cid()<br /> <br /> With KASAN and PREEMPT_RT enabled, calling task_work_add() in<br /> task_tick_mm_cid() may cause the following splat.<br /> <br /> [ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48<br /> [ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe<br /> [ 63.696416] preempt_count: 10001, expected: 0<br /> [ 63.696416] RCU nest depth: 1, expected: 1<br /> <br /> This problem is caused by the following call trace.<br /> <br /> sched_tick() [ acquire rq-&gt;__lock ]<br /> -&gt; task_tick_mm_cid()<br /> -&gt; task_work_add()<br /> -&gt; __kasan_record_aux_stack()<br /> -&gt; kasan_save_stack()<br /> -&gt; stack_depot_save_flags()<br /> -&gt; alloc_pages_mpol_noprof()<br /> -&gt; __alloc_pages_noprof()<br /> -&gt; get_page_from_freelist()<br /> -&gt; rmqueue()<br /> -&gt; rmqueue_pcplist()<br /> -&gt; __rmqueue_pcplist()<br /> -&gt; rmqueue_bulk()<br /> -&gt; rt_spin_lock()<br /> <br /> The rq lock is a raw_spinlock_t. We can&amp;#39;t sleep while holding<br /> it. IOW, we can&amp;#39;t call alloc_pages() in stack_depot_save_flags().<br /> <br /> The task_tick_mm_cid() function with its task_work_add() call was<br /> introduced by commit 223baf9d17f2 ("sched: Fix performance regression<br /> introduced by mm_cid") in v6.4 kernel.<br /> <br /> Fortunately, there is a kasan_record_aux_stack_noalloc() variant that<br /> calls stack_depot_save_flags() while not allowing it to allocate<br /> new pages. To allow task_tick_mm_cid() to use task_work without<br /> page allocation, a new TWAF_NO_ALLOC flag is added to enable calling<br /> kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()<br /> if set. The task_tick_mm_cid() function is modified to add this new flag.<br /> <br /> The possible downside is the missing stack trace in a KASAN report due<br /> to new page allocation required when task_work_add_noallloc() is called<br /> which should be rare.