{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-56547", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-27T14:03:05.989Z", "datePublished": "2024-12-27T14:11:28.548Z", "dateUpdated": "2026-05-11T20:54:27.563Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:54:27.563Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t <TASK>\n\t ? __warn+0x7e/0x120\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t ? report_bug+0x18e/0x1a0\n\t ? handle_bug+0x3d/0x70\n\t ? exc_invalid_op+0x18/0x70\n\t ? asm_exc_invalid_op+0x1a/0x20\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t rcu_nocb_cpu_deoffload+0x70/0xa0\n\t rcu_nocb_toggle+0x136/0x1c0\n\t ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t kthread+0xd1/0x100\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork+0x2f/0x50\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork_asm+0x1a/0x30\n\t </TASK>\n\nCPU0 CPU2 CPU3\n//rcu_nocb_toggle //nocb_cb_wait //rcutorture\n\n// deoffload CPU1 // process CPU1's rdp\nrcu_barrier()\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 2\n // enqueue barrier\n // callback to CPU1's\n // rdp->cblist\n rcu_do_batch()\n // invoke CPU1's rdp->cblist\n // callback\n rcu_barrier_callback()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // still see len == 2\n // enqueue barrier callback\n // to CPU1's rdp->cblist\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 3\n // decrement len\n rcu_segcblist_add_len(-2);\n kthread_parkme()\n\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n\n // wait CPU1 to comes online and\n // invoke barrier callback on\n // CPU1 rdp's->cblist\n wait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // block on barrier_mutex\n // wait rcu_barrier() on\n // CPU3 to unlock barrier_mutex\n // but CPU3 unlock barrier_mutex\n // need to wait CPU1 comes online\n // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\n\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/rcu/tree_nocb.h"], "versions": [{"version": "1fcb932c8b5ce86219d7dedcd63659351a43291c", "lessThan": "224b62028959858294789772d372dcb36cf5f820", "status": "affected", "versionType": "git"}, {"version": "1fcb932c8b5ce86219d7dedcd63659351a43291c", "lessThan": "2996980e20b7a54a1869df15b3445374b850b155", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/rcu/tree_nocb.h"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820"}, {"url": "https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155"}], "title": "rcu/nocb: Fix missed RCU barrier on deoffloading", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t <TASK>\n\t ? __warn+0x7e/0x120\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t ? report_bug+0x18e/0x1a0\n\t ? handle_bug+0x3d/0x70\n\t ? exc_invalid_op+0x18/0x70\n\t ? asm_exc_invalid_op+0x1a/0x20\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t rcu_nocb_cpu_deoffload+0x70/0xa0\n\t rcu_nocb_toggle+0x136/0x1c0\n\t ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t kthread+0xd1/0x100\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork+0x2f/0x50\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork_asm+0x1a/0x30\n\t </TASK>\n\nCPU0 CPU2 CPU3\n//rcu_nocb_toggle //nocb_cb_wait //rcutorture\n\n// deoffload CPU1 // process CPU1's rdp\nrcu_barrier()\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 2\n // enqueue barrier\n // callback to CPU1's\n // rdp->cblist\n rcu_do_batch()\n // invoke CPU1's rdp->cblist\n // callback\n rcu_barrier_callback()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // still see len == 2\n // enqueue barrier callback\n // to CPU1's rdp->cblist\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 3\n // decrement len\n rcu_segcblist_add_len(-2);\n kthread_parkme()\n\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n\n // wait CPU1 to comes online and\n // invoke barrier callback on\n // CPU1 rdp's->cblist\n wait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // block on barrier_mutex\n // wait rcu_barrier() on\n // CPU3 to unlock barrier_mutex\n // but CPU3 unlock barrier_mutex\n // need to wait CPU1 comes online\n // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\n\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcu/nocb: Corregir la barrera RCU omitida al descargar Actualmente, ejecutar la prueba rcutorture con torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, activar\u00e1 la siguiente advertencia: ADVERTENCIA: CPU: 19 PID: 100 en kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0 RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0 Rastreo de llamadas: ? __warn+0x7e/0x120 ? rcu_nocb_rdp_deoffload+0x292/0x2a0? report_bug+0x18e/0x1a0? handle_bug+0x3d/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? rcu_nocb_rdp_deoffload+0x292/0x2a0 rcu_nocb_cpu_deoffload+0x70/0xa0 rcu_nocb_toggle+0x136/0x1c0? __pfx_rcu_nocb_toggle+0x10/0x10 kthread+0xd1/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 CPU0 CPU2 CPU3 //rcu_nocb_toggle //nocb_cb_wait //rcutorture // desconecta la CPU1 // procesa el rdp de la CPU1 rcu_barrier() rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-&gt;cblist de CPU1 rcu_do_batch() // invocar rdp-&gt;cblist de CPU1 // devoluci\u00f3n de llamada rcu_barrier_callback() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // todav\u00eda se ve len == 2 // poner en cola la barrera // devoluci\u00f3n de llamada a rdp-&gt;cblist de CPU1 rcu_segcblist_entrain() rcu_segcblist_add_len(1); // len == 3 // decrementar len rcu_segcblist_add_len(-2); kthread_parkme() // rdp-&gt;cblist de CPU1 len == 1 // Advertir porque todav\u00eda hay una barrera pendiente // activar la advertencia WARN_ON_ONCE(rcu_segcblist_n_cbs(&amp;rdp-&gt;cblist)); cpus_read_unlock(); // esperar a que la CPU1 se conecte e // invocar la devoluci\u00f3n de llamada de barrera en // la CPU1 rdp's-&gt;cblist wait_for_completion(&amp;rcu_state.barrier_completion); // descargar la CPU4 cpus_read_lock() rcu_barrier() mutex_lock(&amp;rcu_state.barrier_mutex); // bloquear en barrier_mutex // esperar a que rcu_barrier() en // la CPU3 desbloquee barrier_mutex // pero la CPU3 desbloquea barrier_mutex // necesita esperar a que la CPU1 se conecte // cuando la CPU1 se conecte se bloquear\u00e1 en cpus_write_lock El escenario anterior no solo activar\u00e1 un WARN_ON_ONCE(), sino que tambi\u00e9n activar\u00e1 un bloqueo. Gracias al bloqueo de nocb, un segundo rcu_barrier() en una CPU fuera de l\u00ednea observar\u00e1 el contador de devoluci\u00f3n de llamadas reducido a 0 y ahorrar\u00e1 la puesta en cola de devoluci\u00f3n de llamadas, o rcuo observar\u00e1 la nueva devoluci\u00f3n de llamada y mantendr\u00e1 rdp-&gt;nocb_cb_sleep en falso. Por lo tanto, verifique rdp-&gt;nocb_cb_sleep antes de estacionar para asegurarse de que no haya m\u00e1s rcu_barrier() esperando en el rdp."}], "id": "CVE-2024-56547", "lastModified": "2025-10-08T13:57:18.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-27T14:15:34.497", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: rcu/nocb: Fix missed RCU barrier on deoffloading", "id": "2334521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334521"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nrcu/nocb: Fix missed RCU barrier on deoffloading\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\nWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\nRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\nCall Trace:\n<TASK>\n? __warn+0x7e/0x120\n? rcu_nocb_rdp_deoffload+0x292/0x2a0\n? report_bug+0x18e/0x1a0\n? handle_bug+0x3d/0x70\n? exc_invalid_op+0x18/0x70\n? asm_exc_invalid_op+0x1a/0x20\n? rcu_nocb_rdp_deoffload+0x292/0x2a0\nrcu_nocb_cpu_deoffload+0x70/0xa0\nrcu_nocb_toggle+0x136/0x1c0\n? __pfx_rcu_nocb_toggle+0x10/0x10\nkthread+0xd1/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2f/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n</TASK>\nCPU0 CPU2 CPU3\n//rcu_nocb_toggle //nocb_cb_wait //rcutorture\n// deoffload CPU1 // process CPU1's rdp\nrcu_barrier()\nrcu_segcblist_entrain()\nrcu_segcblist_add_len(1);\n// len == 2\n// enqueue barrier\n// callback to CPU1's\n// rdp->cblist\nrcu_do_batch()\n// invoke CPU1's rdp->cblist\n// callback\nrcu_barrier_callback()\nrcu_barrier()\nmutex_lock(&rcu_state.barrier_mutex);\n// still see len == 2\n// enqueue barrier callback\n// to CPU1's rdp->cblist\nrcu_segcblist_entrain()\nrcu_segcblist_add_len(1);\n// len == 3\n// decrement len\nrcu_segcblist_add_len(-2);\nkthread_parkme()\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n// wait CPU1 to comes online and\n// invoke barrier callback on\n// CPU1 rdp's->cblist\nwait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\nrcu_barrier()\nmutex_lock(&rcu_state.barrier_mutex);\n// block on barrier_mutex\n// wait rcu_barrier() on\n// CPU3 to unlock barrier_mutex\n// but CPU3 unlock barrier_mutex\n// need to wait CPU1 comes online\n// when CPU1 going online will block on cpus_write_lock\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp."], "name": "CVE-2024-56547", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56547\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56547\nhttps://lore.kernel.org/linux-cve-announce/2024122729-CVE-2024-56547-c340@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T23:06:18.735302+00:00", "updated": "2025-07-12T23:06:18.735381+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}