CVE-2023-53329

In the Linux kernel, the following vulnerability has been resolved:

workqueue: fix data race with the pwq->stats[] increment

KCSAN has discovered a data race in kernel/workqueue.c:2598:

[ 1863.554079] ================================================================== [ 1863.554118] BUG: KCSAN: data-race in processonework / processonework

[ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27: [ 1863.554154] processonework (kernel/workqueue.c:2598) [ 1863.554166] workerthread (./include/linux/list.h:292 kernel/workqueue.c:2752) [ 1863.554177] kthread (kernel/kthread.c:389) [ 1863.554186] retfromfork (arch/x86/kernel/process.c:145) [ 1863.554197] retfromforkasm (arch/x86/entry/entry_64.S:312)

[ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12: [ 1863.554224] processonework (kernel/workqueue.c:2598) [ 1863.554235] workerthread (./include/linux/list.h:292 kernel/workqueue.c:2752) [ 1863.554247] kthread (kernel/kthread.c:389) [ 1863.554255] retfromfork (arch/x86/kernel/process.c:145) [ 1863.554266] retfromforkasm (arch/x86/entry/entry_64.S:312)

[ 1863.554280] value changed: 0x0000000000001766 -> 0x000000000000176a

[ 1863.554295] Reported by Kernel Concurrency Sanitizer on: [ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44 [ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 [ 1863.554322] Workqueue: btrfs-endio btrfsendbio_work [btrfs] [ 1863.554941] ==================================================================

lockdep_invariant_state(true);

→ pwq->stats[PWQSTATSTARTED]++; traceworkqueueexecutestart(work); worker->currentfunc(work);

Moving pwq->stats[PWQSTATSTARTED]++; before the line

raw_spin_unlock_irq(&pool->lock);

resolves the data race without performance penalty.

KCSAN detected at least one additional data race:

[ 157.834751] ================================================================== [ 157.834770] BUG: KCSAN: data-race in processonework / processonework

[ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29: [ 157.834804] processonework (/home/marvin/linux/kernel/linuxtorvalds/kernel/workqueue.c:2606) [ 157.834815] workerthread (/home/marvin/linux/kernel/linuxtorvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linuxtorvalds/kernel/workqueue.c:2752) [ 157.834826] kthread (/home/marvin/linux/kernel/linuxtorvalds/kernel/kthread.c:389) [ 157.834834] retfromfork (/home/marvin/linux/kernel/linuxtorvalds/arch/x86/kernel/process.c:145) [ 157.834845] retfromforkasm (/home/marvin/linux/kernel/linuxtorvalds/arch/x86/entry/entry_64.S:312)

[ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7: [ 157.834868] processonework (/home/marvin/linux/kernel/linuxtorvalds/kernel/workqueue.c:2606) [ 157.834879] workerthread (/home/marvin/linux/kernel/linuxtorvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linuxtorvalds/kernel/workqueue.c:2752) [ 157.834890] kthread (/home/marvin/linux/kernel/linuxtorvalds/kernel/kthread.c:389) [ 157.834897] retfromfork (/home/marvin/linux/kernel/linuxtorvalds/arch/x86/kernel/process.c:145) [ 157.834907] retfromforkasm (/home/marvin/linux/kernel/linuxtorvalds/arch/x86/entry/entry_64.S:312)

[ 157.834920] value changed: 0x000000000000052a -> 0x0000000000000532

[ 157.834933] Reported by Kernel Concurrency Sanitizer on: [ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4 [ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 [ 157.834958] Workqueue: btrfs-endio btrfsendbio_work [btrfs] [ 157.835567] ==================================================================

in code:

    trace_workqueue_execute_end(work, worker->current_func);

→ pwq->stats[PWQSTATCOM ---truncated---