{"vulnerability": "CVE-2024-46797", "sightings": [{"uuid": "ab64f09b-267b-48ef-a0e8-24ad40de55f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-46797", "type": "seen", "source": "https://t.me/cvedetector/5931", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-46797 - IBM Powerpc qspinlock Deadlock\", \n \"Content\": \"CVE ID : CVE-2024-46797 \nPublished : Sept. 18, 2024, 8:15 a.m. | 35\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \npowerpc/qspinlock: Fix deadlock in MCS queue \n \nIf an interrupt occurs in queued_spin_lock_slowpath() after we increment \nqnodesp->count and before node->lock is initialized, another CPU might \nsee stale lock values in get_tail_qnode(). If the stale lock value happens \nto match the lock on that CPU, then we write to the \"next\" pointer of \nthe wrong qnode. This causes a deadlock as the former CPU, once it becomes \nthe head of the MCS queue, will spin indefinitely until it's \"next\" pointer \nis set by its successor in the queue. \n \nRunning stress-ng on a 16 core (16EC/16VP) shared LPAR, results in \noccasional lockups similar to the following: \n \n $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ \n --maximize --oomable --verify --syslog \\ \n --metrics --times --timeout 5m \n \n watchdog: CPU 15 Hard LOCKUP \n ...... \n NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 \n LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 \n Call Trace: \n 0xc000002cfffa3bf0 (unreliable) \n _raw_spin_lock+0x6c/0x90 \n raw_spin_rq_lock_nested.part.135+0x4c/0xd0 \n sched_ttwu_pending+0x60/0x1f0 \n __flush_smp_call_function_queue+0x1dc/0x670 \n smp_ipi_demux_relaxed+0xa4/0x100 \n xive_muxed_ipi_action+0x20/0x40 \n __handle_irq_event_percpu+0x80/0x240 \n handle_irq_event_percpu+0x2c/0x80 \n handle_percpu_irq+0x84/0xd0 \n generic_handle_irq+0x54/0x80 \n __do_irq+0xac/0x210 \n __do_IRQ+0x74/0xd0 \n 0x0 \n do_IRQ+0x8c/0x170 \n hardware_interrupt_common_virt+0x29c/0x2a0 \n --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 \n ...... \n NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 \n LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 \n --- interrupt: 500 \n 0xc0000029c1a41d00 (unreliable) \n _raw_spin_lock+0x6c/0x90 \n futex_wake+0x100/0x260 \n do_futex+0x21c/0x2a0 \n sys_futex+0x98/0x270 \n system_call_exception+0x14c/0x2f0 \n system_call_vectored_common+0x15c/0x2ec \n \nThe following code flow illustrates how the deadlock occurs. \nFor the sake of brevity, assume that both locks (A and B) are \ncontended and we call the queued_spin_lock_slowpath() function. \n \n CPU0 CPU1 \n ---- ---- \n spin_lock_irqsave(A) | \n spin_unlock_irqrestore(A) | \n spin_lock(B) | \n | | \n \u25bc | \n id = qnodesp->count++; | \n (Note that nodes[0].lock == A) | \n | | \n \u25bc | \n Interrupt | \n (happens before \"nodes[0].lock = B\") | \n | | \n \u25bc | \n spin_lock_irqsave(A) | \n | | \n \u25bc | \n id = qnodesp->count++ | \n nodes[1].lock = A | \n | | \n \u25bc | \n Tail of MCS queue | \n | spin_lock_irqsave(A) \n \u25bc | \n Head of MCS queue \u25bc \n | CPU0 is previous tail \n \u25bc | \n Spin indefinitely \u25bc \n ([...]", "creation_timestamp": "2024-09-18T10:52:30.000000Z"}]}