cve/published/2024/CVE-2024-50032.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50032: rcu/nocb: Fix rcuog wake-up from offline softirq

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rcu/nocb: Fix rcuog wake-up from offline softirq

 After a CPU has set itself offline and before it eventually calls
 rcutree_report_cpu_dead(), there are still opportunities for callbacks
 to be enqueued, for example from a softirq. When that happens on NOCB,
 the rcuog wake-up is deferred through an IPI to an online CPU in order
 not to call into the scheduler and risk arming the RT-bandwidth after
 hrtimers have been migrated out and disabled.

 But performing a synchronized IPI from a softirq is buggy as reported in
 the following scenario:

         WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
         Modules linked in: rcutorture torture
         CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1
         Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
         RIP: 0010:smp_call_function_single
         <IRQ>
         swake_up_one_online
         __call_rcu_nocb_wake
         __call_rcu_common
         ? rcu_torture_one_read
         call_timer_fn
         __run_timers
         run_timer_softirq
         handle_softirqs
         irq_exit_rcu
         ? tick_handle_periodic
         sysvec_apic_timer_interrupt
         </IRQ>

 Fix this with forcing deferred rcuog wake up through the NOCB timer when
 the CPU is offline. The actual wake up will happen from
 rcutree_report_cpu_dead().

 The Linux kernel CVE team has assigned CVE-2024-50032 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.54 with commit 9b52ee18f6d2f0e845b0dd5ba35edc02ba318827 and fixed in 6.6.57 with commit 84a5feebba10354c683983f5f1372a144225e4c2
 	Issue introduced in 6.11.2 with commit 00a611229bfad075660181c53e054ff544d3ac34 and fixed in 6.11.4 with commit e66b1e01f2eb3209d08122572f41f7838b79540d
 	Issue introduced in 6.1.113 with commit ec2777e57f2f548702b147c6e5cc088079bd93ca
 	Issue introduced in 6.10.13 with commit bbeaae6f79b2923cf8b8f191d039b19f11adf045

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50032
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/rcu/tree_nocb.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/84a5feebba10354c683983f5f1372a144225e4c2
 	https://git.kernel.org/stable/c/e66b1e01f2eb3209d08122572f41f7838b79540d
 	https://git.kernel.org/stable/c/f7345ccc62a4b880cf76458db5f320725f28e400
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50032: rcu/nocb: Fix rcuog wake-up from offline softirq

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rcu/nocb: Fix rcuog wake-up from offline softirq

	After a CPU has set itself offline and before it eventually calls
	rcutree_report_cpu_dead(), there are still opportunities for callbacks
	to be enqueued, for example from a softirq. When that happens on NOCB,
	the rcuog wake-up is deferred through an IPI to an online CPU in order
	not to call into the scheduler and risk arming the RT-bandwidth after
	hrtimers have been migrated out and disabled.

	But performing a synchronized IPI from a softirq is buggy as reported in
	the following scenario:

	WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
	Modules linked in: rcutorture torture
	CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1
	Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
	RIP: 0010:smp_call_function_single
	<IRQ>
	swake_up_one_online
	__call_rcu_nocb_wake
	__call_rcu_common
	? rcu_torture_one_read
	call_timer_fn
	__run_timers
	run_timer_softirq
	handle_softirqs
	irq_exit_rcu
	? tick_handle_periodic
	sysvec_apic_timer_interrupt
	</IRQ>

	Fix this with forcing deferred rcuog wake up through the NOCB timer when
	the CPU is offline. The actual wake up will happen from
	rcutree_report_cpu_dead().

	The Linux kernel CVE team has assigned CVE-2024-50032 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.54 with commit 9b52ee18f6d2f0e845b0dd5ba35edc02ba318827 and fixed in 6.6.57 with commit 84a5feebba10354c683983f5f1372a144225e4c2
	Issue introduced in 6.11.2 with commit 00a611229bfad075660181c53e054ff544d3ac34 and fixed in 6.11.4 with commit e66b1e01f2eb3209d08122572f41f7838b79540d
	Issue introduced in 6.1.113 with commit ec2777e57f2f548702b147c6e5cc088079bd93ca
	Issue introduced in 6.10.13 with commit bbeaae6f79b2923cf8b8f191d039b19f11adf045

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50032
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/rcu/tree_nocb.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/84a5feebba10354c683983f5f1372a144225e4c2
	https://git.kernel.org/stable/c/e66b1e01f2eb3209d08122572f41f7838b79540d
	https://git.kernel.org/stable/c/f7345ccc62a4b880cf76458db5f320725f28e400