fkie_cve-2024-56547
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2024-12-27 14:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, will trigger the following warning: WARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Call Trace: <TASK> ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0 ? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // deoffload CPU1 // process CPU1's rdp rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // enqueue barrier // callback to CPU1's // rdp->cblist rcu_do_batch() // invoke CPU1's rdp->cblist // callback rcu_barrier_callback() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // still see len == 2 // enqueue barrier callback // to CPU1's rdp->cblist rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrement len rcu_segcblist_add_len(-2); kthread_parkme() // CPU1's rdp->cblist len == 1 // Warn because there is // still a pending barrier // trigger warning WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist)); cpus_read_unlock(); // wait CPU1 to comes online and // invoke barrier callback on // CPU1 rdp's->cblist wait_for_completion(&rcu_state.barrier_completion); // deoffload CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&rcu_state.barrier_mutex); // block on barrier_mutex // wait rcu_barrier() on // CPU3 to unlock barrier_mutex // but CPU3 unlock barrier_mutex // need to wait CPU1 comes online // when CPU1 going online will block on cpus_write_lock The above scenario will not only trigger a WARN_ON_ONCE(), but also trigger a deadlock. Thanks to nocb locking, a second racing rcu_barrier() on an offline CPU will either observe the decremented callback counter down to 0 and spare the callback enqueue, or rcuo will observe the new callback and keep rdp->nocb_cb_sleep to false. Therefore check rdp->nocb_cb_sleep before parking to make sure no further rcu_barrier() is waiting on the rdp.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t  <TASK>\n\t  ? __warn+0x7e/0x120\n\t  ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t  ? report_bug+0x18e/0x1a0\n\t  ? handle_bug+0x3d/0x70\n\t  ? exc_invalid_op+0x18/0x70\n\t  ? asm_exc_invalid_op+0x1a/0x20\n\t  ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t  rcu_nocb_cpu_deoffload+0x70/0xa0\n\t  rcu_nocb_toggle+0x136/0x1c0\n\t  ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t  kthread+0xd1/0x100\n\t  ? __pfx_kthread+0x10/0x10\n\t  ret_from_fork+0x2f/0x50\n\t  ? __pfx_kthread+0x10/0x10\n\t  ret_from_fork_asm+0x1a/0x30\n\t  </TASK>\n\nCPU0                               CPU2                          CPU3\n//rcu_nocb_toggle             //nocb_cb_wait                   //rcutorture\n\n// deoffload CPU1             // process CPU1's rdp\nrcu_barrier()\n    rcu_segcblist_entrain()\n        rcu_segcblist_add_len(1);\n        // len == 2\n        // enqueue barrier\n        // callback to CPU1's\n        // rdp->cblist\n                             rcu_do_batch()\n                                 // invoke CPU1's rdp->cblist\n                                 // callback\n                                 rcu_barrier_callback()\n                                                             rcu_barrier()\n                                                               mutex_lock(&rcu_state.barrier_mutex);\n                                                               // still see len == 2\n                                                               // enqueue barrier callback\n                                                               // to CPU1's rdp->cblist\n                                                               rcu_segcblist_entrain()\n                                                                   rcu_segcblist_add_len(1);\n                                                                   // len == 3\n                                 // decrement len\n                                 rcu_segcblist_add_len(-2);\n                             kthread_parkme()\n\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n\n                                                                // wait CPU1 to comes online and\n                                                                // invoke barrier callback on\n                                                                // CPU1 rdp's->cblist\n                                                                wait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n  rcu_barrier()\n    mutex_lock(&rcu_state.barrier_mutex);\n    // block on barrier_mutex\n    // wait rcu_barrier() on\n    // CPU3 to unlock barrier_mutex\n    // but CPU3 unlock barrier_mutex\n    // need to wait CPU1 comes online\n    // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\n\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp.",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcu/nocb: Corregir la barrera RCU omitida al descargar Actualmente, ejecutar la prueba rcutorture con torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, activará la siguiente advertencia: ADVERTENCIA: CPU: 19 PID: 100 en kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Rastreo de llamadas:  ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0? report_bug+0x18e/0x1a0? handle_bug+0x3d/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30  CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // desconecta la CPU1 // procesa el rdp de la CPU1 rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // poner en cola la barrera // devolución de llamada a rdp-&gt;cblist de CPU1 rcu_do_batch() // invocar rdp-&gt;cblist de CPU1 // devolución de llamada rcu_barrier_callback() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // todavía se ve len == 2 // poner en cola la barrera // devolución de llamada a rdp-&gt;cblist de CPU1 rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrementar len rcu_segcblist_add_len(-2); kthread_parkme() // rdp-&gt;cblist de CPU1 len == 1 // Advertir porque todavía hay una barrera pendiente // activar la advertencia WARN_ON_ONCE(rcu_segcblist_n_cbs(&amp;rdp-&gt;cblist)); cpus_read_unlock(); // esperar a que la CPU1 se conecte e // invocar la devolución de llamada de barrera en // la CPU1 rdp's-&gt;cblist wait_for_completion(&amp;rcu_state.barrier_completion); // descargar la CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // bloquear en barrier_mutex // esperar a que rcu_barrier() en // la CPU3 desbloquee barrier_mutex // pero la CPU3 desbloquea barrier_mutex // necesita esperar a que la CPU1 se conecte // cuando la CPU1 se conecte se bloqueará en cpus_write_lock El escenario anterior no solo activará un WARN_ON_ONCE(), sino que también activará un bloqueo. Gracias al bloqueo de nocb, un segundo rcu_barrier() en una CPU fuera de línea observará el contador de devolución de llamadas reducido a 0 y ahorrará la puesta en cola de devolución de llamadas, o rcuo observará la nueva devolución de llamada y mantendrá rdp-&gt;nocb_cb_sleep en falso. Por lo tanto, verifique rdp-&gt;nocb_cb_sleep antes de estacionar para asegurarse de que no haya más rcu_barrier() esperando en el rdp.",
      },
   ],
   id: "CVE-2024-56547",
   lastModified: "2024-12-27T14:15:34.497",
   metrics: {},
   published: "2024-12-27T14:15:34.497",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Awaiting Analysis",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.