cve/published/2024/CVE-2024-35929.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35929: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

 For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and
 CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()
 in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:

         CPU2                                               CPU11
 kthread
 rcu_nocb_cb_kthread                                       ksys_write
 rcu_do_batch                                              vfs_write
 rcu_torture_timer_cb                                      proc_sys_write
 __kmem_cache_free                                         proc_sys_call_handler
 kmemleak_free                                             drop_caches_sysctl_handler
 delete_object_full                                        drop_slab
 __delete_object                                           shrink_slab
 put_object                                                lazy_rcu_shrink_scan
 call_rcu                                                  rcu_nocb_flush_bypass
 __call_rcu_commn                                            rcu_nocb_bypass_lock
                                                             raw_spin_trylock(&rdp->nocb_bypass_lock) fail
                                                             atomic_inc(&rdp->nocb_lock_contended);
 rcu_nocb_wait_contended                                     WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
  WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended))                                          |
                             |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|

 Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".

 This commit therefore uses rcu_nocb_try_flush_bypass() instead of
 rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan().  If the nocb_bypass
 queue is being flushed, then rcu_nocb_try_flush_bypass will return
 directly.

 The Linux kernel CVE team has assigned CVE-2024-35929 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.27 with commit 4d58c9fb45c70e62c19e8be3f3605889c47601bc
 	Fixed in 6.8.6 with commit 927d1f4f77e4784ab3944a9df86ab14d1cd3185a
 	Fixed in 6.9 with commit dda98810b552fc6bf650f4270edeebdc2f28bd3f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35929
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/rcu/tree_nocb.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc
 	https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a
 	https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35929: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

	For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and
	CONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()
	in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:

	CPU2 CPU11
	kthread
	rcu_nocb_cb_kthread ksys_write
	rcu_do_batch vfs_write
	rcu_torture_timer_cb proc_sys_write
	__kmem_cache_free proc_sys_call_handler
	kmemleak_free drop_caches_sysctl_handler
	delete_object_full drop_slab
	__delete_object shrink_slab
	put_object lazy_rcu_shrink_scan
	call_rcu rcu_nocb_flush_bypass
	__call_rcu_commn rcu_nocb_bypass_lock
	raw_spin_trylock(&rdp->nocb_bypass_lock) fail
	atomic_inc(&rdp->nocb_lock_contended);
	rcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
	WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) \|
	\|_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __\|

	Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".

	This commit therefore uses rcu_nocb_try_flush_bypass() instead of
	rcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass
	queue is being flushed, then rcu_nocb_try_flush_bypass will return
	directly.

	The Linux kernel CVE team has assigned CVE-2024-35929 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.27 with commit 4d58c9fb45c70e62c19e8be3f3605889c47601bc
	Fixed in 6.8.6 with commit 927d1f4f77e4784ab3944a9df86ab14d1cd3185a
	Fixed in 6.9 with commit dda98810b552fc6bf650f4270edeebdc2f28bd3f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35929
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/rcu/tree_nocb.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc
	https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a
	https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f