CVE-2022-48658

mm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

mm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.

Commit 5a836bf6b09f ("mm: slub: move flush_cpu_slab() invocations
__free_slab() invocations out of IRQ context") moved all flush_cpu_slab()
invocations to the global workqueue to avoid a problem related
with deactivate_slab()/__free_slab() being called from an IRQ context
on PREEMPT_RT kernels.

When the flush_all_cpu_locked() function is called from a task context
it may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up
flushing the global workqueue, this will cause a dependency issue.

workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]
is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab
WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637
check_flush_dependency+0x10a/0x120
Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]
RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:
__flush_work.isra.0+0xbf/0x220
? __queue_work+0x1dc/0x420
flush_all_cpus_locked+0xfb/0x120
__kmem_cache_shutdown+0x2b/0x320
kmem_cache_destroy+0x49/0x100
bioset_exit+0x143/0x190
blk_release_queue+0xb9/0x100
kobject_cleanup+0x37/0x130
nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]
nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]

Fix this bug by creating a workqueue for the flush operation with
the WQ_MEM_RECLAIM bit set.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: slub: corrige las invocaciones de flu_cpu_slab()/__free_slab() en el contexto de la tarea. Commit 5a836bf6b09f ("mm: slub: mover invocaciones de flu_cpu_slab() invocaciones de __free_slab() fuera del contexto IRQ") movió todas las invocaciones de flu_cpu_slab() a la cola de trabajo global para evitar un problema relacionado con la llamada de desactivate_slab()/__free_slab() desde un Contexto IRQ en núcleos PREEMPT_RT. Cuando se llama a la función Flush_all_cpu_locked() desde un contexto de tarea, puede suceder que una cola de trabajo con el bit WQ_MEM_RECLAIM configurado termine vaciando la cola de trabajo global, esto causará un problema de dependencia. cola de trabajo: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core] se está vaciando! Eventos WQ_MEM_RECLAIM:flush_cpu_slab ADVERTENCIA: CPU: 37 PID: 410 en kernel/workqueue.c:2637 check_flush_dependency+0x10a/0x120 Cola de trabajo: vme-delete-wq nvme_delete_ctrl_work [ nvme_core] RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Seguimiento de llamadas: __flush_work.isra.0+0xbf/0x220? __queue_work+0x1dc/0x420 Flush_all_cpus_locked+0xfb/0x120 __kmem_cache_shutdown+0x2b/0x320 kmem_cache_destroy+0x49/0x100 bioset_exit+0x143/0x190 blk_release_queue+0xb9/0x100 kobject_cleanup+0 x37/0x130 nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc] nvme_free_ctrl+0x1ac/0x2b0 [nvme_core ] Corrija este error creando una cola de trabajo para la operación de vaciado con el bit WQ_MEM_RECLAIM establecido.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-04-28 CVE Published
2024-05-01 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/5a836bf6b09f99ead1b69457ff39ab3011ece57b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/61703b248be993eb4997b00ae5d3318e6d8f3c5b	2022-09-28
https://git.kernel.org/stable/c/df6cb39335cf5a1b918e8dbd8ba7cd9f1d00e45a	2022-09-28
https://git.kernel.org/stable/c/e45cc288724f0cfd497bb5920bcfa60caa335729	2022-09-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.71 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.71"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.19.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.19.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.0"		en		Affected