Commit 82f3c251 authored Mar 06, 2025 by Paul E. McKenney Committed by Yang Yingliang Mar 06, 2025

srcu: Tighten cleanup_srcu_struct() GP checks

mainline inclusion
from mainline-v5.19-rc1
commit 8ed00760
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP415
CVE: CVE-2022-49651

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8ed00760203d8018bee042fbfe8e076579be2c2b



--------------------------------

Currently, cleanup_srcu_struct() checks for a grace period in progress,
but it does not check for a grace period that has not yet started but
which might start at any time.  Such a situation could result in a
use-after-free bug, so this commit adds a check for a grace period that
is needed but not yet started to cleanup_srcu_struct().

Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

parent e82f027e

kernel/rcu/srcutree.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -390,9 +390,11 @@ void cleanup_srcu_struct(struct srcu_struct *ssp)
		return; /* Forgot srcu_barrier(), so just leak it! */
		}
		if (WARN_ON(rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq)) != SRCU_STATE_IDLE) \|\|
		WARN_ON(rcu_seq_current(&ssp->srcu_gp_seq) != ssp->srcu_gp_seq_needed) \|\|
		WARN_ON(srcu_readers_active(ssp))) {
		pr_info("%s: Active srcu_struct %p state: %d\n",
		__func__, ssp, rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq)));
		pr_info("%s: Active srcu_struct %p read state: %d gp state: %lu/%lu\n",
		__func__, ssp, rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq)),
		rcu_seq_current(&ssp->srcu_gp_seq), ssp->srcu_gp_seq_needed);
		return; /* Caller forgot to stop doing call_srcu()? */
		}
		free_percpu(ssp->sda);