1224656 – (CVE-2024-35929) VUL-0: CVE-2024-35929: kernel: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

Bug 1224656 (CVE-2024-35929) - VUL-0: CVE-2024-35929: kernel: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

Summary: VUL-0: CVE-2024-35929: kernel: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_b...

Status:	NEW

Alias:	CVE-2024-35929

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Frederic Weisbecker
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/406619/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-35929:2.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-05-20 16:04 UTC by SMASH SMASH
Modified:	2024-05-26 23:21 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-05-20 16:04:09 UTC

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and
CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()
in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:

        CPU2                                               CPU11
kthread
rcu_nocb_cb_kthread                                       ksys_write
rcu_do_batch                                              vfs_write
rcu_torture_timer_cb                                      proc_sys_write
__kmem_cache_free                                         proc_sys_call_handler
kmemleak_free                                             drop_caches_sysctl_handler
delete_object_full                                        drop_slab
__delete_object                                           shrink_slab
put_object                                                lazy_rcu_shrink_scan
call_rcu                                                  rcu_nocb_flush_bypass
__call_rcu_commn                                            rcu_nocb_bypass_lock
                                                            raw_spin_trylock(&rdp->nocb_bypass_lock) fail
                                                            atomic_inc(&rdp->nocb_lock_contended);
rcu_nocb_wait_contended                                     WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
 WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended))                                          |
                            |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|

Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".

This commit therefore uses rcu_nocb_try_flush_bypass() instead of
rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan().  If the nocb_bypass
queue is being flushed, then rcu_nocb_try_flush_bypass will return
directly.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35929
https://www.cve.org/CVERecord?id=CVE-2024-35929
https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc
https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a
https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35929.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2281514

Comment 1 Joey Lee 2024-05-21 05:27:46 UTC

https://www.suse.com/security/cve/CVE-2024-35929.html
cvss 2.5