CVE-2024-46704: 
Linux Kernel vulnerability analysis and mitigation

A data race vulnerability was discovered in the Linux kernel's workqueue subsystem, specifically in the _flushwork() function (CVE-2024-46704). The issue was identified when flushing a work item for cancellation, where the work->data was being read before testing from_cancel, potentially triggering KCSAN data race detection spuriously. This vulnerability affects Linux kernel versions from 6.10 up to (excluding) 6.10.7, and various release candidates of version 6.11 (NVD).

The vulnerability stems from a logic issue in the workqueue subsystem where _flushwork() function reads work->data before testing fromcancel parameter. While the read is safe when fromcancel is true, the premature access could trigger KCSAN (Kernel Concurrency Sanitizer) data race detection. The issue has a CVSS v3.1 base score of 4.7 (Medium) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required with high attack complexity (NVD).

The vulnerability primarily affects system stability and could potentially lead to spurious data race detections in the kernel's workqueue subsystem. While the actual impact is limited as the read data was never used when from_cancel was false, it could affect system reliability through false positive race condition reports (Kernel Patch).

The issue has been fixed by reorganizing the code so that fromcancel is tested before work->data is accessed. The fix involves a simple code restructuring without requiring READONCE() or other access qualifiers. Users should upgrade to Linux kernel version 6.10.7 or later to receive the fix (Kernel Patch).