CVE-2024-56547

{"id": "CVE-2024-56547", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-12-27T14:15:34.497", "references": [{"url": "https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t <TASK>\n\t ? __warn+0x7e/0x120\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t ? report_bug+0x18e/0x1a0\n\t ? handle_bug+0x3d/0x70\n\t ? exc_invalid_op+0x18/0x70\n\t ? asm_exc_invalid_op+0x1a/0x20\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t rcu_nocb_cpu_deoffload+0x70/0xa0\n\t rcu_nocb_toggle+0x136/0x1c0\n\t ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t kthread+0xd1/0x100\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork+0x2f/0x50\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork_asm+0x1a/0x30\n\t </TASK>\n\nCPU0 CPU2 CPU3\n//rcu_nocb_toggle //nocb_cb_wait //rcutorture\n\n// deoffload CPU1 // process CPU1's rdp\nrcu_barrier()\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 2\n // enqueue barrier\n // callback to CPU1's\n // rdp->cblist\n rcu_do_batch()\n // invoke CPU1's rdp->cblist\n // callback\n rcu_barrier_callback()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // still see len == 2\n // enqueue barrier callback\n // to CPU1's rdp->cblist\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 3\n // decrement len\n rcu_segcblist_add_len(-2);\n kthread_parkme()\n\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n\n // wait CPU1 to comes online and\n // invoke barrier callback on\n // CPU1 rdp's->cblist\n wait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // block on barrier_mutex\n // wait rcu_barrier() on\n // CPU3 to unlock barrier_mutex\n // but CPU3 unlock barrier_mutex\n // need to wait CPU1 comes online\n // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\n\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcu/nocb: Corregir la barrera RCU omitida al descargar Actualmente, ejecutar la prueba rcutorture con torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, activar\u00e1 la siguiente advertencia: ADVERTENCIA: CPU: 19 PID: 100 en kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Rastreo de llamadas: ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0? report_bug+0x18e/0x1a0? handle_bug+0x3d/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // desconecta la CPU1 // procesa el rdp de la CPU1 rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-&gt;cblist de CPU1 rcu_do_batch() // invocar rdp-&gt;cblist de CPU1 // devoluci\u00f3n de llamada rcu_barrier_callback() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // todav\u00eda se ve len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-&gt;cblist de CPU1 rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrementar len rcu_segcblist_add_len(-2); kthread_parkme() // rdp-&gt;cblist de CPU1 len == 1 // Advertir porque todav\u00eda hay una barrera pendiente // activar la advertencia WARN_ON_ONCE(rcu_segcblist_n_cbs(&amp;rdp-&gt;cblist)); cpus_read_unlock(); // esperar a que la CPU1 se conecte e // invocar la devoluci\u00f3n de llamada de barrera en // la CPU1 rdp's-&gt;cblist wait_for_completion(&amp;rcu_state.barrier_completion); // descargar la CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // bloquear en barrier_mutex // esperar a que rcu_barrier() en // la CPU3 desbloquee barrier_mutex // pero la CPU3 desbloquea barrier_mutex // necesita esperar a que la CPU1 se conecte // cuando la CPU1 se conecte se bloquear\u00e1 en cpus_write_lock El escenario anterior no solo activar\u00e1 un WARN_ON_ONCE(), sino que tambi\u00e9n activar\u00e1 un bloqueo. Gracias al bloqueo de nocb, un segundo rcu_barrier() en una CPU fuera de l\u00ednea observar\u00e1 el contador de devoluci\u00f3n de llamadas reducido a 0 y ahorrar\u00e1 la puesta en cola de devoluci\u00f3n de llamadas, o rcuo observar\u00e1 la nueva devoluci\u00f3n de llamada y mantendr\u00e1 rdp-&gt;nocb_cb_sleep en falso. Por lo tanto, verifique rdp-&gt;nocb_cb_sleep antes de estacionar para asegurarse de que no haya m\u00e1s rcu_barrier() esperando en el rdp."}], "lastModified": "2025-10-08T13:57:18.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}