CVE-2024-56547

27.12.2024, 14:15

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix missed RCU barrier on deoffloading

Currently, running rcutorture test with torture_type=rcu fwd_progress=8
n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60
test_boost=2, will trigger the following warning:

	WARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0
	RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0
	 Call Trace:
	  <TASK>
	  ? __warn+0x7e/0x120
	  ? rcu_nocb_rdp_deoffload+0x292/0x2a0
	  ? report_bug+0x18e/0x1a0
	  ? handle_bug+0x3d/0x70
	  ? exc_invalid_op+0x18/0x70
	  ? asm_exc_invalid_op+0x1a/0x20
	  ? rcu_nocb_rdp_deoffload+0x292/0x2a0
	  rcu_nocb_cpu_deoffload+0x70/0xa0
	  rcu_nocb_toggle+0x136/0x1c0
	  ? __pfx_rcu_nocb_toggle+0x10/0x10
	  kthread+0xd1/0x100
	  ? __pfx_kthread+0x10/0x10
	  ret_from_fork+0x2f/0x50
	  ? __pfx_kthread+0x10/0x10
	  ret_from_fork_asm+0x1a/0x30
	  </TASK>

CPU0                               CPU2                          CPU3
//rcu_nocb_toggle             //nocb_cb_wait                   //rcutorture

// deoffload CPU1             // process CPU1's rdp
rcu_barrier()
    rcu_segcblist_entrain()
        rcu_segcblist_add_len(1);
        // len == 2
        // enqueue barrier
        // callback to CPU1's
        // rdp->cblist
                             rcu_do_batch()
                                 // invoke CPU1's rdp->cblist
                                 // callback
                                 rcu_barrier_callback()
                                                             rcu_barrier()
                                                               mutex_lock(&rcu_state.barrier_mutex);
                                                               // still see len == 2
                                                               // enqueue barrier callback
                                                               // to CPU1's rdp->cblist
                                                               rcu_segcblist_entrain()
                                                                   rcu_segcblist_add_len(1);
                                                                   // len == 3
                                 // decrement len
                                 rcu_segcblist_add_len(-2);
                             kthread_parkme()

// CPU1's rdp->cblist len == 1
// Warn because there is
// still a pending barrier
// trigger warning
WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));
cpus_read_unlock();

                                                                // wait CPU1 to comes online and
                                                                // invoke barrier callback on
                                                                // CPU1 rdp's->cblist
                                                                wait_for_completion(&rcu_state.barrier_completion);
// deoffload CPU4
cpus_read_lock()
  rcu_barrier()
    mutex_lock(&rcu_state.barrier_mutex);
    // block on barrier_mutex
    // wait rcu_barrier() on
    // CPU3 to unlock barrier_mutex
    // but CPU3 unlock barrier_mutex
    // need to wait CPU1 comes online
    // when CPU1 going online will block on cpus_write_lock

The above scenario will not only trigger a WARN_ON_ONCE(), but also
trigger a deadlock.

Thanks to nocb locking, a second racing rcu_barrier() on an offline CPU
will either observe the decremented callback counter down to 0 and spare
the callback enqueue, or rcuo will observe the new callback and keep
rdp->nocb_cb_sleep to false.

Therefore check rdp->nocb_cb_sleep before parking to make sure no
further rcu_barrier() is waiting on the rdp.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bookworm	6.1.137-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm (security)	6.1.140-1 fixed
trixie	6.12.27-1 fixed
sid	6.12.30-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	not-affected
trusty	dne

linux-azure

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-fde

oracular	dne
noble	dne
jammy	not-affected
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-gcp

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	dne

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-gke

oracular	dne
noble	not-affected
jammy	not-affected
focal	ignored
bionic	dne
xenial	ignored
trusty	dne

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gkeop

oracular	dne
noble	not-affected
jammy	not-affected
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected
trusty	dne

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-ibm

oracular	dne
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-intel

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-kvm

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-lowlatency

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	not-affected

linux-nvidia

oracular	dne
noble	not-affected
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.11

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.8

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oracle

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-raspi-realtime

oracular	dne
noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	ignored
xenial	ignored
trusty	dne

linux-realtime

oracular	not-affected
noble	not-affected
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

oracular	not-affected
noble	not-affected
jammy	ignored
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	not-affected
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

References

https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820

https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155