ghsa-hw85-hfvh-5cgr
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()
For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE() in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:
CPU2 CPU11
kthread rcu_nocb_cb_kthread ksys_write rcu_do_batch vfs_write rcu_torture_timer_cb proc_sys_write kmem_cache_free proc_sys_call_handler kmemleak_free drop_caches_sysctl_handler delete_object_full drop_slab __delete_object shrink_slab put_object lazy_rcu_shrink_scan call_rcu rcu_nocb_flush_bypass __call_rcu_commn rcu_nocb_bypass_lock raw_spin_trylock(&rdp->nocb_bypass_lock) fail atomic_inc(&rdp->nocb_lock_contended); rcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu); WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) | | _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11 _ _ _ _ _ _ _ _ |
Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".
This commit therefore uses rcu_nocb_try_flush_bypass() instead of rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass queue is being flushed, then rcu_nocb_try_flush_bypass will return directly.
{ "affected": [], "aliases": [ "CVE-2024-35929" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-19T11:15:48Z", "severity": null }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(\u0026rdp-\u003enocb_bypass_lock) fail\n atomic_inc(\u0026rdp-\u003enocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp-\u003ecpu);\n WARN_ON_ONCE(atomic_read(\u0026rdp-\u003enocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp-\u003ecpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 \u003e /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", "id": "GHSA-hw85-hfvh-5cgr", "modified": "2024-05-19T12:30:38Z", "published": "2024-05-19T12:30:38Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" } ], "schema_version": "1.4.0", "severity": [] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.