CVE-2024-46704 (GCVE-0-2024-46704)

Vulnerability from cvelistv5 – Published: 2024-09-13 06:27 – Updated: 2026-05-11 20:34
VLAI
Title
workqueue: Fix spruious data race in __flush_work()
Summary
In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix spruious data race in __flush_work() When flushing a work item for cancellation, __flush_work() knows that it exclusively owns the work item through its PENDING bit. 134874e2eee9 ("workqueue: Allow cancel_work_sync() and disable_work() from atomic contexts on BH work items") added a read of @work->data to determine whether to use busy wait for BH work items that are being canceled. While the read is safe when @from_cancel, @work->data was read before testing @from_cancel to simplify code structure: data = *work_data_bits(work); if (from_cancel && !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) { While the read data was never used if !@from_cancel, this could trigger KCSAN data race detection spuriously: ================================================================== BUG: KCSAN: data-race in __flush_work / __flush_work write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0: instrument_write include/linux/instrumented.h:41 [inline] ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline] insert_wq_barrier kernel/workqueue.c:3790 [inline] start_flush_work kernel/workqueue.c:4142 [inline] __flush_work+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [inline] ... read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1: __flush_work+0x42a/0x570 kernel/workqueue.c:4188 flush_work kernel/workqueue.c:4229 [inline] flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251 ... value changed: 0x0000000000400000 -> 0xffff88810006c00d Reorganize the code so that @from_cancel is tested before @work->data is accessed. The only problem is triggering KCSAN detection spuriously. This shouldn't need READ_ONCE() or other access qualifiers. No functional changes.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 134874e2eee9380c2700411d4844cbc29297bc01 , < 91d09642127a32fde231face2ff489af70eef316 (git)
Affected: 134874e2eee9380c2700411d4844cbc29297bc01 , < 8bc35475ef1a23b0e224f3242eb11c76cab0ea88 (git)
Create a notification for this product.
Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.10.7 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46704",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T15:03:23.715213Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T15:03:38.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/workqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "91d09642127a32fde231face2ff489af70eef316",
              "status": "affected",
              "version": "134874e2eee9380c2700411d4844cbc29297bc01",
              "versionType": "git"
            },
            {
              "lessThan": "8bc35475ef1a23b0e224f3242eb11c76cab0ea88",
              "status": "affected",
              "version": "134874e2eee9380c2700411d4844cbc29297bc01",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/workqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.7",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix spruious data race in __flush_work()\n\nWhen flushing a work item for cancellation, __flush_work() knows that it\nexclusively owns the work item through its PENDING bit. 134874e2eee9\n(\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\ncontexts on BH work items\") added a read of @work-\u003edata to determine whether\nto use busy wait for BH work items that are being canceled. While the read\nis safe when @from_cancel, @work-\u003edata was read before testing @from_cancel\nto simplify code structure:\n\n\tdata = *work_data_bits(work);\n\tif (from_cancel \u0026\u0026\n\t    !WARN_ON_ONCE(data \u0026 WORK_STRUCT_PWQ) \u0026\u0026 (data \u0026 WORK_OFFQ_BH)) {\n\nWhile the read data was never used if !@from_cancel, this could trigger\nKCSAN data race detection spuriously:\n\n  ==================================================================\n  BUG: KCSAN: data-race in __flush_work / __flush_work\n\n  write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\n   instrument_write include/linux/instrumented.h:41 [inline]\n   ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\n   insert_wq_barrier kernel/workqueue.c:3790 [inline]\n   start_flush_work kernel/workqueue.c:4142 [inline]\n   __flush_work+0x30b/0x570 kernel/workqueue.c:4178\n   flush_work kernel/workqueue.c:4229 [inline]\n   ...\n\n  read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\n   __flush_work+0x42a/0x570 kernel/workqueue.c:4188\n   flush_work kernel/workqueue.c:4229 [inline]\n   flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\n   ...\n\n  value changed: 0x0000000000400000 -\u003e 0xffff88810006c00d\n\nReorganize the code so that @from_cancel is tested before @work-\u003edata is\naccessed. The only problem is triggering KCSAN detection spuriously. This\nshouldn\u0027t need READ_ONCE() or other access qualifiers.\n\nNo functional changes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:34:46.394Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/91d09642127a32fde231face2ff489af70eef316"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bc35475ef1a23b0e224f3242eb11c76cab0ea88"
        }
      ],
      "title": "workqueue: Fix spruious data race in __flush_work()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46704",
    "datePublished": "2024-09-13T06:27:31.822Z",
    "dateReserved": "2024-09-11T15:12:18.251Z",
    "dateUpdated": "2026-05-11T20:34:46.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-46704",
      "date": "2026-05-28",
      "epss": "0.00053",
      "percentile": "0.16917"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.10\", \"versionEndExcluding\": \"6.10.7\", \"matchCriteriaId\": \"E55C1263-DF43-41EF-8DA8-2BA68DF4FFFD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B3CE743-2126-47A3-8B7C-822B502CF119\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0005AEF-856E-47EB-BFE4-90C46899394D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nworkqueue: Fix spruious data race in __flush_work()\\n\\nWhen flushing a work item for cancellation, __flush_work() knows that it\\nexclusively owns the work item through its PENDING bit. 134874e2eee9\\n(\\\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\\ncontexts on BH work items\\\") added a read of @work-\u003edata to determine whether\\nto use busy wait for BH work items that are being canceled. While the read\\nis safe when @from_cancel, @work-\u003edata was read before testing @from_cancel\\nto simplify code structure:\\n\\n\\tdata = *work_data_bits(work);\\n\\tif (from_cancel \u0026\u0026\\n\\t    !WARN_ON_ONCE(data \u0026 WORK_STRUCT_PWQ) \u0026\u0026 (data \u0026 WORK_OFFQ_BH)) {\\n\\nWhile the read data was never used if !@from_cancel, this could trigger\\nKCSAN data race detection spuriously:\\n\\n  ==================================================================\\n  BUG: KCSAN: data-race in __flush_work / __flush_work\\n\\n  write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\\n   instrument_write include/linux/instrumented.h:41 [inline]\\n   ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\\n   insert_wq_barrier kernel/workqueue.c:3790 [inline]\\n   start_flush_work kernel/workqueue.c:4142 [inline]\\n   __flush_work+0x30b/0x570 kernel/workqueue.c:4178\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   ...\\n\\n  read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\\n   __flush_work+0x42a/0x570 kernel/workqueue.c:4188\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\\n   ...\\n\\n  value changed: 0x0000000000400000 -\u003e 0xffff88810006c00d\\n\\nReorganize the code so that @from_cancel is tested before @work-\u003edata is\\naccessed. The only problem is triggering KCSAN detection spuriously. This\\nshouldn\u0027t need READ_ONCE() or other access qualifiers.\\n\\nNo functional changes.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: workqueue: Fix spruious data race in __flush_work() Al vaciar un elemento de trabajo para su cancelaci\\u00f3n, __flush_work() sabe que posee exclusivamente el elemento de trabajo a trav\\u00e9s de su bit PENDING. 134874e2eee9 (\\\"workqueue: Allow cancel_work_sync() and disable_work() from atomic contexts on BH work items\\\") agreg\\u00f3 una lectura de @work-\u0026gt;data para determinar si se debe usar la espera activa para los elementos de trabajo de BH que se est\\u00e1n cancelando. Si bien la lectura es segura cuando @from_cancel, @work-\u0026gt;data se ley\\u00f3 antes de probar @from_cancel para simplificar la estructura del c\\u00f3digo: data = *work_data_bits(work); if (from_cancel \u0026amp;\u0026amp; !WARN_ON_ONCE(data \u0026amp; WORK_STRUCT_PWQ) \u0026amp;\u0026amp; (data \u0026amp; WORK_OFFQ_BH)) { Si bien los datos le\\u00eddos nunca se usaron si !@from_cancel, esto podr\\u00eda activar la detecci\\u00f3n de ejecuci\\u00f3n de datos de KCSAN de manera espuria: ====================================================================== ERROR: KCSAN: carrera de datos en __flush_work / __flush_work escribe en 0xffff8881223aa3e8 de 8 bytes por la tarea 3998 en la CPU 0: instrument_write include/linux/instrumented.h:41 [en l\\u00ednea] ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [en l\\u00ednea] insert_wq_barrier kernel/workqueue.c:3790 [en l\\u00ednea] start_flush_work kernel/workqueue.c:4142 [en l\\u00ednea] __flush_work+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [en l\\u00ednea] ... le\\u00eddo hasta 0xffff8881223aa3e8 de 8 bytes por la tarea 50 en la CPU 1: __flush_work+0x42a/0x570 kernel/workqueue.c:4188 flush_work kernel/workqueue.c:4229 [en l\\u00ednea] flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251 ... valor cambiado: 0x0000000000400000 -\u0026gt; 0xffff88810006c00d Reorganice el c\\u00f3digo para que @from_cancel se pruebe antes de acceder a @work-\u0026gt;data. El \\u00fanico problema es que se activa la detecci\\u00f3n de KCSAN de manera espuria. Esto no deber\\u00eda necesitar READ_ONCE() ni otros calificadores de acceso. No hay cambios funcionales.\"}]",
      "id": "CVE-2024-46704",
      "lastModified": "2024-09-19T13:32:39.257",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 3.6}]}",
      "published": "2024-09-13T07:15:05.397",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/8bc35475ef1a23b0e224f3242eb11c76cab0ea88\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/91d09642127a32fde231face2ff489af70eef316\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46704\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-13T07:15:05.397\",\"lastModified\":\"2024-09-19T13:32:39.257\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nworkqueue: Fix spruious data race in __flush_work()\\n\\nWhen flushing a work item for cancellation, __flush_work() knows that it\\nexclusively owns the work item through its PENDING bit. 134874e2eee9\\n(\\\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\\ncontexts on BH work items\\\") added a read of @work-\u003edata to determine whether\\nto use busy wait for BH work items that are being canceled. While the read\\nis safe when @from_cancel, @work-\u003edata was read before testing @from_cancel\\nto simplify code structure:\\n\\n\\tdata = *work_data_bits(work);\\n\\tif (from_cancel \u0026\u0026\\n\\t    !WARN_ON_ONCE(data \u0026 WORK_STRUCT_PWQ) \u0026\u0026 (data \u0026 WORK_OFFQ_BH)) {\\n\\nWhile the read data was never used if !@from_cancel, this could trigger\\nKCSAN data race detection spuriously:\\n\\n  ==================================================================\\n  BUG: KCSAN: data-race in __flush_work / __flush_work\\n\\n  write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\\n   instrument_write include/linux/instrumented.h:41 [inline]\\n   ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\\n   insert_wq_barrier kernel/workqueue.c:3790 [inline]\\n   start_flush_work kernel/workqueue.c:4142 [inline]\\n   __flush_work+0x30b/0x570 kernel/workqueue.c:4178\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   ...\\n\\n  read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\\n   __flush_work+0x42a/0x570 kernel/workqueue.c:4188\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\\n   ...\\n\\n  value changed: 0x0000000000400000 -\u003e 0xffff88810006c00d\\n\\nReorganize the code so that @from_cancel is tested before @work-\u003edata is\\naccessed. The only problem is triggering KCSAN detection spuriously. This\\nshouldn\u0027t need READ_ONCE() or other access qualifiers.\\n\\nNo functional changes.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: workqueue: Fix spruious data race in __flush_work() Al vaciar un elemento de trabajo para su cancelaci\u00f3n, __flush_work() sabe que posee exclusivamente el elemento de trabajo a trav\u00e9s de su bit PENDING. 134874e2eee9 (\\\"workqueue: Allow cancel_work_sync() and disable_work() from atomic contexts on BH work items\\\") agreg\u00f3 una lectura de @work-\u0026gt;data para determinar si se debe usar la espera activa para los elementos de trabajo de BH que se est\u00e1n cancelando. Si bien la lectura es segura cuando @from_cancel, @work-\u0026gt;data se ley\u00f3 antes de probar @from_cancel para simplificar la estructura del c\u00f3digo: data = *work_data_bits(work); if (from_cancel \u0026amp;\u0026amp; !WARN_ON_ONCE(data \u0026amp; WORK_STRUCT_PWQ) \u0026amp;\u0026amp; (data \u0026amp; WORK_OFFQ_BH)) { Si bien los datos le\u00eddos nunca se usaron si !@from_cancel, esto podr\u00eda activar la detecci\u00f3n de ejecuci\u00f3n de datos de KCSAN de manera espuria: ====================================================================== ERROR: KCSAN: carrera de datos en __flush_work / __flush_work escribe en 0xffff8881223aa3e8 de 8 bytes por la tarea 3998 en la CPU 0: instrument_write include/linux/instrumented.h:41 [en l\u00ednea] ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [en l\u00ednea] insert_wq_barrier kernel/workqueue.c:3790 [en l\u00ednea] start_flush_work kernel/workqueue.c:4142 [en l\u00ednea] __flush_work+0x30b/0x570 kernel/workqueue.c:4178 flush_work kernel/workqueue.c:4229 [en l\u00ednea] ... le\u00eddo hasta 0xffff8881223aa3e8 de 8 bytes por la tarea 50 en la CPU 1: __flush_work+0x42a/0x570 kernel/workqueue.c:4188 flush_work kernel/workqueue.c:4229 [en l\u00ednea] flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251 ... valor cambiado: 0x0000000000400000 -\u0026gt; 0xffff88810006c00d Reorganice el c\u00f3digo para que @from_cancel se pruebe antes de acceder a @work-\u0026gt;data. El \u00fanico problema es que se activa la detecci\u00f3n de KCSAN de manera espuria. Esto no deber\u00eda necesitar READ_ONCE() ni otros calificadores de acceso. No hay cambios funcionales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.10.7\",\"matchCriteriaId\":\"E55C1263-DF43-41EF-8DA8-2BA68DF4FFFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8bc35475ef1a23b0e224f3242eb11c76cab0ea88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/91d09642127a32fde231face2ff489af70eef316\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-46704\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-29T15:03:23.715213Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-29T15:03:27.853Z\"}}], \"cna\": {\"title\": \"workqueue: Fix spruious data race in __flush_work()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"134874e2eee9\", \"lessThan\": \"91d09642127a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"134874e2eee9\", \"lessThan\": \"8bc35475ef1a\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/workqueue.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.10.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/workqueue.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/91d09642127a32fde231face2ff489af70eef316\"}, {\"url\": \"https://git.kernel.org/stable/c/8bc35475ef1a23b0e224f3242eb11c76cab0ea88\"}], \"x_generator\": {\"engine\": \"bippy-9e1c9544281a\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nworkqueue: Fix spruious data race in __flush_work()\\n\\nWhen flushing a work item for cancellation, __flush_work() knows that it\\nexclusively owns the work item through its PENDING bit. 134874e2eee9\\n(\\\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\\ncontexts on BH work items\\\") added a read of @work-\u003edata to determine whether\\nto use busy wait for BH work items that are being canceled. While the read\\nis safe when @from_cancel, @work-\u003edata was read before testing @from_cancel\\nto simplify code structure:\\n\\n\\tdata = *work_data_bits(work);\\n\\tif (from_cancel \u0026\u0026\\n\\t    !WARN_ON_ONCE(data \u0026 WORK_STRUCT_PWQ) \u0026\u0026 (data \u0026 WORK_OFFQ_BH)) {\\n\\nWhile the read data was never used if !@from_cancel, this could trigger\\nKCSAN data race detection spuriously:\\n\\n  ==================================================================\\n  BUG: KCSAN: data-race in __flush_work / __flush_work\\n\\n  write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\\n   instrument_write include/linux/instrumented.h:41 [inline]\\n   ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\\n   insert_wq_barrier kernel/workqueue.c:3790 [inline]\\n   start_flush_work kernel/workqueue.c:4142 [inline]\\n   __flush_work+0x30b/0x570 kernel/workqueue.c:4178\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   ...\\n\\n  read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\\n   __flush_work+0x42a/0x570 kernel/workqueue.c:4188\\n   flush_work kernel/workqueue.c:4229 [inline]\\n   flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\\n   ...\\n\\n  value changed: 0x0000000000400000 -\u003e 0xffff88810006c00d\\n\\nReorganize the code so that @from_cancel is tested before @work-\u003edata is\\naccessed. The only problem is triggering KCSAN detection spuriously. This\\nshouldn\u0027t need READ_ONCE() or other access qualifiers.\\n\\nNo functional changes.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-11-05T09:44:59.459Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-46704\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-05T09:44:59.459Z\", \"dateReserved\": \"2024-09-11T15:12:18.251Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-13T06:27:31.822Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.