Linux Kernel RCU Defer Qs Iw Pending Data Race Vulnerability

A data race vulnerability has been identified in the Linux kernel's RCU (Read-Copy-Update) implementation, specifically in versions built with CONFIG_IRQ_WORK enabled. When the rcu_read_unlock function is called within a region of code with interrupts disabled, it triggers rcu_read_unlock_special(). This function uses an irq-work handler to notify the system that the RCU read-side critical section has ended, which only occurs after interrupts are re-enabled. In certain kernels, such as those with rcutree.use_softirq set to true, the irq-work handler is applied unconditionally. The per-CPU rcu_data structure's defer_qs_iw_pending field, which is both read and modified by rcu_read_unlock_special(), is updated by the irq-work handler. This interaction creates a data race, as evidenced by a KCSAN (Kernel Concurrency Sanitizer) report.

Impact

Exploitation of this vulnerability leads to a data race condition in the RCU implementation, which can cause undefined behavior in the kernel.

Reproduction

To reproduce this vulnerability, use a kernel version that is built with CONFIG_IRQ_WORK enabled and rcutree.use_softirq set to true. Within an interrupts-disabled region, invoke the rcu_read_unlock function. This will trigger the rcu_read_unlock_special function, which can interrupt the rcu_preempt_deferred_qs_handler, creating a data race on the defer_qs_iw_pending field.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version.