CVE-2024-35929 rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

2024-05-1910:10:38

Linux

github.com

linux kernel

vulnerability

resolved

rcu/nocb

fix

warn_on_once

rcu_nocb_bypass_lock

scenario

trigger

kthread

rcu_do_batch

ksys_write

vfs_write

proc_sys_write

kmemleak_free

delete_object_full

put_object

call_rcu

lazy_rcu_shrink_scan

rcu_nocb_try_flush_bypass

queue

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and
CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()
in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:

    CPU2                                               CPU11

kthread
rcu_nocb_cb_kthread ksys_write
rcu_do_batch vfs_write
rcu_torture_timer_cb proc_sys_write
__kmem_cache_free proc_sys_call_handler
kmemleak_free drop_caches_sysctl_handler
delete_object_full drop_slab
__delete_object shrink_slab
put_object lazy_rcu_shrink_scan
call_rcu rcu_nocb_flush_bypass
_call_rcu_commn rcu_nocb_bypass_lock
raw_spin_trylock(&rdp->nocb_bypass_lock) fail
atomic_inc(&rdp->nocb_lock_contended);
rcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |
| _ _ _ _ _ _ _ _ same rdp and rdp->cpu != 11 _ _ _ _ _ _ _ _ __|

Reproduce this bug with “echo 3 > /proc/sys/vm/drop_caches”.

This commit therefore uses rcu_nocb_try_flush_bypass() instead of
rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass
queue is being flushed, then rcu_nocb_try_flush_bypass will return
directly.