ghsa-hw85-hfvh-5cgr
Vulnerability from github
Published
2024-05-19 12:30
Modified
2024-05-19 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE() in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:

    CPU2                                               CPU11

kthread rcu_nocb_cb_kthread ksys_write rcu_do_batch vfs_write rcu_torture_timer_cb proc_sys_write kmem_cache_free proc_sys_call_handler kmemleak_free drop_caches_sysctl_handler delete_object_full drop_slab __delete_object shrink_slab put_object lazy_rcu_shrink_scan call_rcu rcu_nocb_flush_bypass __call_rcu_commn rcu_nocb_bypass_lock raw_spin_trylock(&rdp->nocb_bypass_lock) fail atomic_inc(&rdp->nocb_lock_contended); rcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu); WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) | | _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11 _ _ _ _ _ _ _ _ |

Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".

This commit therefore uses rcu_nocb_try_flush_bypass() instead of rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass queue is being flushed, then rcu_nocb_try_flush_bypass will return directly.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-35929"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T11:15:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n        CPU2                                               CPU11\nkthread\nrcu_nocb_cb_kthread                                       ksys_write\nrcu_do_batch                                              vfs_write\nrcu_torture_timer_cb                                      proc_sys_write\n__kmem_cache_free                                         proc_sys_call_handler\nkmemleak_free                                             drop_caches_sysctl_handler\ndelete_object_full                                        drop_slab\n__delete_object                                           shrink_slab\nput_object                                                lazy_rcu_shrink_scan\ncall_rcu                                                  rcu_nocb_flush_bypass\n__call_rcu_commn                                            rcu_nocb_bypass_lock\n                                                            raw_spin_trylock(\u0026rdp-\u003enocb_bypass_lock) fail\n                                                            atomic_inc(\u0026rdp-\u003enocb_lock_contended);\nrcu_nocb_wait_contended                                     WARN_ON_ONCE(smp_processor_id() != rdp-\u003ecpu);\n WARN_ON_ONCE(atomic_read(\u0026rdp-\u003enocb_lock_contended))                                          |\n                            |_ _ _ _ _ _ _ _ _ _same rdp and rdp-\u003ecpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 \u003e /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan().  If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.",
  "id": "GHSA-hw85-hfvh-5cgr",
  "modified": "2024-05-19T12:30:38Z",
  "published": "2024-05-19T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.