CVE-2023-54113

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu: dump vmalloc memory info safely<br /> <br /> Currently, for double invoke call_rcu(), will dump rcu_head objects memory<br /> info, if the objects is not allocated from the slab allocator, the<br /> vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to<br /> be held, since the call_rcu() can be invoked in interrupt context,<br /> therefore, there is a possibility of spinlock deadlock scenarios.<br /> <br /> And in Preempt-RT kernel, the rcutorture test also trigger the following<br /> lockdep warning:<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48<br /> in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0<br /> preempt_count: 1, expected: 0<br /> RCU nest depth: 1, expected: 1<br /> 3 locks held by swapper/0/1:<br /> #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0<br /> #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370<br /> #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70<br /> irq event stamp: 565512<br /> hardirqs last enabled at (565511): [] __call_rcu_common+0x218/0x940<br /> hardirqs last disabled at (565512): [] rcu_torture_init+0x20b2/0x2370<br /> softirqs last enabled at (399112): [] __local_bh_enable_ip+0x126/0x170<br /> softirqs last disabled at (399106): [] inet_register_protosw+0x9/0x1d0<br /> Preemption disabled at:<br /> [] rcu_torture_init+0x1f13/0x2370<br /> CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x68/0xb0<br /> dump_stack+0x14/0x20<br /> __might_resched+0x1aa/0x280<br /> ? __pfx_rcu_torture_err_cb+0x10/0x10<br /> rt_spin_lock+0x53/0x130<br /> ? find_vmap_area+0x1f/0x70<br /> find_vmap_area+0x1f/0x70<br /> vmalloc_dump_obj+0x20/0x60<br /> mem_dump_obj+0x22/0x90<br /> __call_rcu_common+0x5bf/0x940<br /> ? debug_smp_processor_id+0x1b/0x30<br /> call_rcu_hurry+0x14/0x20<br /> rcu_torture_init+0x1f82/0x2370<br /> ? __pfx_rcu_torture_leak_cb+0x10/0x10<br /> ? __pfx_rcu_torture_leak_cb+0x10/0x10<br /> ? __pfx_rcu_torture_init+0x10/0x10<br /> do_one_initcall+0x6c/0x300<br /> ? debug_smp_processor_id+0x1b/0x30<br /> kernel_init_freeable+0x2b9/0x540<br /> ? __pfx_kernel_init+0x10/0x10<br /> kernel_init+0x1f/0x150<br /> ret_from_fork+0x40/0x50<br /> ? __pfx_kernel_init+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> <br /> The previous patch fixes this by using the deadlock-safe best-effort<br /> version of find_vm_area. However, in case of failure print the fact that<br /> the pointer was a vmalloc pointer so that we print at least something.