CVE-2024-46704

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46704
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46704.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46704
Downstream
Published
2024-09-13T06:27:31.822Z
Modified
2025-11-20T05:38:12.468536Z
Summary
workqueue: Fix spruious data race in __flush_work()
Details

In the Linux kernel, the following vulnerability has been resolved:

workqueue: Fix spruious data race in _flushwork()

When flushing a work item for cancellation, _flushwork() knows that it exclusively owns the work item through its PENDING bit. 134874e2eee9 ("workqueue: Allow cancelworksync() and disablework() from atomic contexts on BH work items") added a read of @work->data to determine whether to use busy wait for BH work items that are being canceled. While the read is safe when @fromcancel, @work->data was read before testing @from_cancel to simplify code structure:

data = *work_data_bits(work);
if (from_cancel &&
    !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) {

While the read data was never used if !@from_cancel, this could trigger KCSAN data race detection spuriously:

================================================================== BUG: KCSAN: data-race in _flushwork / _flushwork

write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0: instrumentwrite include/linux/instrumented.h:41 [inline] _setbit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline] insertwqbarrier kernel/workqueue.c:3790 [inline] startflushwork kernel/workqueue.c:4142 [inline] _flushwork+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [inline] ...

read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1: _flushwork+0x42a/0x570 kernel/workqueue.c:4188 flushwork kernel/workqueue.c:4229 [inline] flushdelayed_work+0x66/0x70 kernel/workqueue.c:4251 ...

value changed: 0x0000000000400000 -> 0xffff88810006c00d

Reorganize the code so that @fromcancel is tested before @work->data is accessed. The only problem is triggering KCSAN detection spuriously. This shouldn't need READONCE() or other access qualifiers.

No functional changes.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
134874e2eee9380c2700411d4844cbc29297bc01
Fixed
91d09642127a32fde231face2ff489af70eef316
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
134874e2eee9380c2700411d4844cbc29297bc01
Fixed
8bc35475ef1a23b0e224f3242eb11c76cab0ea88

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.11-rc1
v6.9
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "kernel/workqueue.c"
        },
        "digest": {
            "line_hashes": [
                "172854493406610280526159093381128539348",
                "88863626635405050283687801236887194831",
                "197033954428039435006948118716349237873",
                "292767597787995688679429624051408431550",
                "144595655311085596455123584949335260395",
                "70634037682440291296218212281224185353",
                "334238548638508178441162479100193109176",
                "31105793994609528107305189415600374544",
                "202120491962035310217997248525505552459",
                "214466187080160778233595197079305063797",
                "152632603446982136414471009372957125829",
                "120419114745395729947854642982893153892",
                "81058194794142818748912633728192940832",
                "170506188545710873579213099161305464531",
                "236457487283776151059230995749050786672",
                "29959703557796994617701840361662921210",
                "203497153657111901380119178193049078924",
                "111011124936021985297601255086924946718",
                "62515998544427828896284527419532699652",
                "163994852945619122846286686997220688699",
                "68770450462383005125284085835723000087"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91d09642127a32fde231face2ff489af70eef316",
        "signature_version": "v1",
        "id": "CVE-2024-46704-50279795"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "kernel/workqueue.c"
        },
        "digest": {
            "line_hashes": [
                "172854493406610280526159093381128539348",
                "88863626635405050283687801236887194831",
                "197033954428039435006948118716349237873",
                "292767597787995688679429624051408431550",
                "144595655311085596455123584949335260395",
                "70634037682440291296218212281224185353",
                "334238548638508178441162479100193109176",
                "31105793994609528107305189415600374544",
                "202120491962035310217997248525505552459",
                "214466187080160778233595197079305063797",
                "152632603446982136414471009372957125829",
                "120419114745395729947854642982893153892",
                "81058194794142818748912633728192940832",
                "170506188545710873579213099161305464531",
                "236457487283776151059230995749050786672",
                "29959703557796994617701840361662921210",
                "203497153657111901380119178193049078924",
                "111011124936021985297601255086924946718",
                "62515998544427828896284527419532699652",
                "163994852945619122846286686997220688699",
                "68770450462383005125284085835723000087"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8bc35475ef1a23b0e224f3242eb11c76cab0ea88",
        "signature_version": "v1",
        "id": "CVE-2024-46704-c23250a3"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "kernel/workqueue.c",
            "function": "__flush_work"
        },
        "digest": {
            "length": 577.0,
            "function_hash": "144171915174224107802363616273730735683"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91d09642127a32fde231face2ff489af70eef316",
        "signature_version": "v1",
        "id": "CVE-2024-46704-d991b3c2"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "kernel/workqueue.c",
            "function": "__flush_work"
        },
        "digest": {
            "length": 577.0,
            "function_hash": "144171915174224107802363616273730735683"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8bc35475ef1a23b0e224f3242eb11c76cab0ea88",
        "signature_version": "v1",
        "id": "CVE-2024-46704-f055b51c"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.10.7