{ "threat_severity" : "Low", "public_date" : "2024-10-29T00:00:00Z", "bugzilla" : { "description" : "kernel: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race", "id" : "2322308", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2322308" }, "cvss3" : { "cvss3_base_score" : "4.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race\nWe're seeing crashes from rq_qos_wake_function that look like this:\nBUG: unable to handle page fault for address: ffffafe180a40084\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0\nOops: Oops: 0002 [#1] PREEMPT SMP PTI\nCPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40\nCode: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00\nRSP: 0018:ffffafe180580ca0 EFLAGS: 00010046\nRAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011\nRDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084\nRBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011\nR10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002\nR13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003\nFS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\ntry_to_wake_up+0x5a/0x6a0\nrq_qos_wake_function+0x71/0x80\n__wake_up_common+0x75/0xa0\n__wake_up+0x36/0x60\nscale_up.part.0+0x50/0x110\nwb_timer_fn+0x227/0x450\n...\nSo rq_qos_wake_function() calls wake_up_process(data->task), which calls\ntry_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).\np comes from data->task, and data comes from the waitqueue entry, which\nis stored on the waiter's stack in rq_qos_wait(). Analyzing the core\ndump with drgn, I found that the waiter had already woken up and moved\non to a completely unrelated code path, clobbering what was previously\ndata->task. Meanwhile, the waker was passing the clobbered garbage in\ndata->task to wake_up_process(), leading to the crash.\nWhat's happening is that in between rq_qos_wake_function() deleting the\nwaitqueue entry and calling wake_up_process(), rq_qos_wait() is finding\nthat it already got a token and returning. The race looks like this:\nrq_qos_wait() rq_qos_wake_function()\n==============================================================\nprepare_to_wait_exclusive()\ndata->got_token = true;\nlist_del_init(&curr->entry);\nif (data.got_token)\nbreak;\nfinish_wait(&rqw->wait, &data.wq);\n^- returns immediately because\nlist_empty_careful(&wq_entry->entry)\nis true\n... return, go do something else ...\nwake_up_process(data->task)\n(NO LONGER VALID!)-^\nNormally, finish_wait() is supposed to synchronize against the waker.\nBut, as noted above, it is returning immediately because the waitqueue\nentry has already been removed from the waitqueue.\nThe bug is that rq_qos_wake_function() is accessing the waitqueue entry\nAFTER deleting it. Note that autoremove_wake_function() wakes the waiter\nand THEN deletes the waitqueue entry, which is the proper order.\nFix it by swapping the order. We also need to use\nlist_del_init_careful() to match the list_empty_careful() in\nfinish_wait()." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10944", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.32.1.rt7.373.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10943", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.32.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11810", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.79.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50082\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50082\nhttps://lore.kernel.org/linux-cve-announce/2024102937-CVE-2024-50082-c5b1@gregkh/T" ], "name" : "CVE-2024-50082", "csaw" : false }