fkie_cve-2024-56547
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2024-12-27 14:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, will trigger the following warning: WARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Call Trace: <TASK> ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0 ? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // deoffload CPU1 // process CPU1's rdp rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // enqueue barrier // callback to CPU1's // rdp->cblist rcu_do_batch() // invoke CPU1's rdp->cblist // callback rcu_barrier_callback() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // still see len == 2 // enqueue barrier callback // to CPU1's rdp->cblist rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrement len rcu_segcblist_add_len(-2); kthread_parkme() // CPU1's rdp->cblist len == 1 // Warn because there is // still a pending barrier // trigger warning WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist)); cpus_read_unlock(); // wait CPU1 to comes online and // invoke barrier callback on // CPU1 rdp's->cblist wait_for_completion(&rcu_state.barrier_completion); // deoffload CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // block on barrier_mutex // wait rcu_barrier() on // CPU3 to unlock barrier_mutex // but CPU3 unlock barrier_mutex // need to wait CPU1 comes online // when CPU1 going online will block on cpus_write_lock The above scenario will not only trigger a WARN_ON_ONCE(), but also trigger a deadlock. Thanks to nocb locking, a second racing rcu_barrier() on an offline CPU will either observe the decremented callback counter down to 0 and spare the callback enqueue, or rcuo will observe the new callback and keep rdp->nocb_cb_sleep to false. Therefore check rdp->nocb_cb_sleep before parking to make sure no further rcu_barrier() is waiting on the rdp.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t  \u003cTASK\u003e\n\t  ? __warn+0x7e/0x120\n\t  ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t  ? report_bug+0x18e/0x1a0\n\t  ? handle_bug+0x3d/0x70\n\t  ? exc_invalid_op+0x18/0x70\n\t  ? asm_exc_invalid_op+0x1a/0x20\n\t  ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t  rcu_nocb_cpu_deoffload+0x70/0xa0\n\t  rcu_nocb_toggle+0x136/0x1c0\n\t  ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t  kthread+0xd1/0x100\n\t  ? __pfx_kthread+0x10/0x10\n\t  ret_from_fork+0x2f/0x50\n\t  ? __pfx_kthread+0x10/0x10\n\t  ret_from_fork_asm+0x1a/0x30\n\t  \u003c/TASK\u003e\n\nCPU0                               CPU2                          CPU3\n//rcu_nocb_toggle             //nocb_cb_wait                   //rcutorture\n\n// deoffload CPU1             // process CPU1\u0027s rdp\nrcu_barrier()\n    rcu_segcblist_entrain()\n        rcu_segcblist_add_len(1);\n        // len == 2\n        // enqueue barrier\n        // callback to CPU1\u0027s\n        // rdp-\u003ecblist\n                             rcu_do_batch()\n                                 // invoke CPU1\u0027s rdp-\u003ecblist\n                                 // callback\n                                 rcu_barrier_callback()\n                                                             rcu_barrier()\n                                                               mutex_lock(\u0026rcu_state.barrier_mutex);\n                                                               // still see len == 2\n                                                               // enqueue barrier callback\n                                                               // to CPU1\u0027s rdp-\u003ecblist\n                                                               rcu_segcblist_entrain()\n                                                                   rcu_segcblist_add_len(1);\n                                                                   // len == 3\n                                 // decrement len\n                                 rcu_segcblist_add_len(-2);\n                             kthread_parkme()\n\n// CPU1\u0027s rdp-\u003ecblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(\u0026rdp-\u003ecblist));\ncpus_read_unlock();\n\n                                                                // wait CPU1 to comes online and\n                                                                // invoke barrier callback on\n                                                                // CPU1 rdp\u0027s-\u003ecblist\n                                                                wait_for_completion(\u0026rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n  rcu_barrier()\n    mutex_lock(\u0026rcu_state.barrier_mutex);\n    // block on barrier_mutex\n    // wait rcu_barrier() on\n    // CPU3 to unlock barrier_mutex\n    // but CPU3 unlock barrier_mutex\n    // need to wait CPU1 comes online\n    // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp-\u003enocb_cb_sleep to false.\n\nTherefore check rdp-\u003enocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcu/nocb: Corregir la barrera RCU omitida al descargar Actualmente, ejecutar la prueba rcutorture con torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, activar\u00e1 la siguiente advertencia: ADVERTENCIA: CPU: 19 PID: 100 en kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Rastreo de llamadas:  ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0? report_bug+0x18e/0x1a0? handle_bug+0x3d/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30  CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // desconecta la CPU1 // procesa el rdp de la CPU1 rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-\u0026gt;cblist de CPU1 rcu_do_batch() // invocar rdp-\u0026gt;cblist de CPU1 // devoluci\u00f3n de llamada rcu_barrier_callback() rcu_barrier() mutex_lock(\u0026amp;rcu_state.barrier_mutex); // todav\u00eda se ve len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-\u0026gt;cblist de CPU1 rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrementar len rcu_segcblist_add_len(-2); kthread_parkme() // rdp-\u0026gt;cblist de CPU1 len == 1 // Advertir porque todav\u00eda hay una barrera pendiente // activar la advertencia WARN_ON_ONCE(rcu_segcblist_n_cbs(\u0026amp;rdp-\u0026gt;cblist)); cpus_read_unlock(); // esperar a que la CPU1 se conecte e // invocar la devoluci\u00f3n de llamada de barrera en // la CPU1 rdp\u0027s-\u0026gt;cblist wait_for_completion(\u0026amp;rcu_state.barrier_completion); // descargar la CPU4 cpus_read_lock() rcu_barrier() mutex_lock(\u0026amp;rcu_state.barrier_mutex); // bloquear en barrier_mutex // esperar a que rcu_barrier() en // la CPU3 desbloquee barrier_mutex // pero la CPU3 desbloquea barrier_mutex // necesita esperar a que la CPU1 se conecte // cuando la CPU1 se conecte se bloquear\u00e1 en cpus_write_lock El escenario anterior no solo activar\u00e1 un WARN_ON_ONCE(), sino que tambi\u00e9n activar\u00e1 un bloqueo. Gracias al bloqueo de nocb, un segundo rcu_barrier() en una CPU fuera de l\u00ednea observar\u00e1 el contador de devoluci\u00f3n de llamadas reducido a 0 y ahorrar\u00e1 la puesta en cola de devoluci\u00f3n de llamadas, o rcuo observar\u00e1 la nueva devoluci\u00f3n de llamada y mantendr\u00e1 rdp-\u0026gt;nocb_cb_sleep en falso. Por lo tanto, verifique rdp-\u0026gt;nocb_cb_sleep antes de estacionar para asegurarse de que no haya m\u00e1s rcu_barrier() esperando en el rdp."
    }
  ],
  "id": "CVE-2024-56547",
  "lastModified": "2024-12-27T14:15:34.497",
  "metrics": {},
  "published": "2024-12-27T14:15:34.497",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.