{"id":"CVE-2024-53687","summary":"riscv: Fix IPIs usage in kfence_protect_page()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix IPIs usage in kfence_protect_page()\n\nflush_tlb_kernel_range() may use IPIs to flush the TLBs of all the\ncores, which triggers the following warning when the irqs are disabled:\n\n[    3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520\n[    3.456647] Modules linked in:\n[    3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1\n[    3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS\n[    3.457633] epc : smp_call_function_many_cond+0x452/0x520\n[    3.457736]  ra : on_each_cpu_cond_mask+0x1e/0x30\n[    3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50\n[    3.457824]  gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f\n[    3.457859]  t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10\n[    3.457920]  s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001\n[    3.457953]  a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000\n[    3.458006]  a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000\n[    3.458042]  s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0\n[    3.458076]  s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001\n[    3.458109]  s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001\n[    3.458141]  s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0\n[    3.458172]  t5 : 0000000000000000 t6 : ff200000000236d0\n[    3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003\n[    3.458373] [\u003cffffffff800b669a\u003e] smp_call_function_many_cond+0x452/0x520\n[    3.458593] [\u003cffffffff800b67c2\u003e] on_each_cpu_cond_mask+0x1e/0x30\n[    3.458625] [\u003cffffffff8000e4ca\u003e] __flush_tlb_range+0x118/0x1ca\n[    3.458656] [\u003cffffffff8000e6b2\u003e] flush_tlb_kernel_range+0x1e/0x26\n[    3.458683] [\u003cffffffff801ea56a\u003e] kfence_protect+0xc0/0xce\n[    3.458717] [\u003cffffffff801e9456\u003e] kfence_guarded_free+0xc6/0x1c0\n[    3.458742] [\u003cffffffff801e9d6c\u003e] __kfence_free+0x62/0xc6\n[    3.458764] [\u003cffffffff801c57d8\u003e] kfree+0x106/0x32c\n[    3.458786] [\u003cffffffff80588cf2\u003e] detach_buf_split+0x188/0x1a8\n[    3.458816] [\u003cffffffff8058708c\u003e] virtqueue_get_buf_ctx+0xb6/0x1f6\n[    3.458839] [\u003cffffffff805871da\u003e] virtqueue_get_buf+0xe/0x16\n[    3.458880] [\u003cffffffff80613d6a\u003e] virtblk_done+0x5c/0xe2\n[    3.458908] [\u003cffffffff8058766e\u003e] vring_interrupt+0x6a/0x74\n[    3.458930] [\u003cffffffff800747d8\u003e] __handle_irq_event_percpu+0x7c/0xe2\n[    3.458956] [\u003cffffffff800748f0\u003e] handle_irq_event+0x3c/0x86\n[    3.458978] [\u003cffffffff800786cc\u003e] handle_simple_irq+0x9e/0xbe\n[    3.459004] [\u003cffffffff80073934\u003e] generic_handle_domain_irq+0x1c/0x2a\n[    3.459027] [\u003cffffffff804bf87c\u003e] imsic_handle_irq+0xba/0x120\n[    3.459056] [\u003cffffffff80073934\u003e] generic_handle_domain_irq+0x1c/0x2a\n[    3.459080] [\u003cffffffff804bdb76\u003e] riscv_intc_aia_irq+0x24/0x34\n[    3.459103] [\u003cffffffff809d0452\u003e] handle_riscv_irq+0x2e/0x4c\n[    3.459133] [\u003cffffffff809d923e\u003e] call_on_irq_stack+0x32/0x40\n\nSo only flush the local TLB and let the lazy kfence page fault handling\ndeal with the faults which could happen when a core has an old protected\npte version cached in its TLB. That leads to potential inaccuracies which\ncan be tolerated when using kfence.","aliases":["ECHO-8148-bb51-cd52"],"modified":"2026-04-21T02:27:15.039818228Z","published":"2025-01-11T12:29:50.589Z","related":["USN-7379-2","USN-7380-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53687.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3abfc4130c4222099c69d023fed97f1180a8ad7b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f796a6a396d6f963f2cc8f5edd7dfba2cca097f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3431a8bb336cece8adc452437befa7d4534b2fd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53687.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53687"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"47513f243b452a5e21180dcf3d6ac1c57e1781a6"},{"fixed":"6f796a6a396d6f963f2cc8f5edd7dfba2cca097f"},{"fixed":"3abfc4130c4222099c69d023fed97f1180a8ad7b"},{"fixed":"b3431a8bb336cece8adc452437befa7d4534b2fd"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53687.json"}}],"schema_version":"1.7.5"}