2.4 KiB
CVE-2024-35929
Description
In the Linux kernel, the following vulnerability has been resolved:rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y andCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()in the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions: CPU2 CPU11kthreadrcu_nocb_cb_kthread ksys_writercu_do_batch vfs_writercu_torture_timer_cb proc_sys_write__kmem_cache_free proc_sys_call_handlerkmemleak_free drop_caches_sysctl_handlerdelete_object_full drop_slab__delete_object shrink_slabput_object lazy_rcu_shrink_scancall_rcu rcu_nocb_flush_bypass__call_rcu_commn rcu_nocb_bypass_lock raw_spin_trylock(&rdp->nocb_bypass_lock) fail atomic_inc(&rdp->nocb_lock_contended);rcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu); WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) | |_ _ _ _ _ _ _ _ _ same rdp and rdp->cpu != 11 _ _ _ _ _ _ _ _ __|Reproduce this bug with "echo 3 > /proc/sys/vm/drop_caches".This commit therefore uses rcu_nocb_try_flush_bypass() instead ofrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypassqueue is being flushed, then rcu_nocb_try_flush_bypass will returndirectly.
POC
Reference
No PoCs from references.