CVE-2024-46788

In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Use a cpumask to know what threads are kthreads

The startkthread() and stopthread() code was not always called with the interfacelock held. This means that the kthread variable could be unexpectedly changed causing the kthreadstop() to be called on it when it should not have been, leading to:

while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done

Causing the following OOPS:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimeractive+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: <TASK> ? dieaddr+0x40/0xa0 ? excgeneralprotection+0x154/0x230 ? asmexcgeneralprotection+0x26/0x30 ? hrtimeractive+0x58/0x300 ? pfxmutexlock+0x10/0x10 ? _pfxlocksremovefile+0x10/0x10 hrtimercancel+0x15/0x40 timerlatfdrelease+0x8e/0x1f0 ? securityfilerelease+0x43/0x80 _fput+0x372/0xb10 taskworkrun+0x11e/0x1f0 ? rawspinlock+0x85/0xe0 ? _pfxtaskworkrun+0x10/0x10 ? poisonslabobject+0x109/0x170 ? doexit+0x7a0/0x24b0 doexit+0x7bd/0x24b0 ? _pfxmigrateenable+0x10/0x10 ? _pfxdoexit+0x10/0x10 ? _pfxreadtsc+0x10/0x10 ? ktimeget+0x64/0x140 ? _rawspinlockirq+0x86/0xe0 dogroupexit+0xb0/0x220 getsignal+0x17ba/0x1b50 ? vfsread+0x179/0xa40 ? timerlatfdread+0x30b/0x9d0 ? _pfxgetsignal+0x10/0x10 ? _pfxtimerlatfdread+0x10/0x10 archdosignalorrestart+0x8c/0x570 ? _pfxarchdosignalorrestart+0x10/0x10 ? vfsread+0x179/0xa40 ? ksysread+0xfe/0x1d0 ? _pfxksysread+0x10/0x10 syscallexittousermode+0xbc/0x130 dosyscall64+0x74/0x110 ? _pfxrseqhandlenotifyresume+0x10/0x10 ? _pfxksysread+0x10/0x10 ? fpregsrestoreuserregs+0xdb/0x1e0 ? fpregsrestoreuserregs+0xdb/0x1e0 ? syscallexittousermode+0x116/0x130 ? dosyscall64+0x74/0x110 ? dosyscall64+0x74/0x110 ? dosyscall64+0x74/0x110 entrySYSCALL64afterhwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIGRAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 </TASK> Modules linked in: sndhdaintel sndinteldspcfg sndintelsdwacpi sndhdacodec sndhwdep sndhda_core ---[ end trace 0000000000000000 ]---

This is because it would mistakenly call kthread_stop() on a user space thread making it "exit" before it actually exits.

Since kthread ---truncated---