cve/published/2024/CVE-2024-58057.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58057: idpf: convert workqueues to unbound

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 idpf: convert workqueues to unbound

 When a workqueue is created with `WQ_UNBOUND`, its work items are
 served by special worker-pools, whose host workers are not bound to
 any specific CPU. In the default configuration (i.e. when
 `queue_delayed_work` and friends do not specify which CPU to run the
 work item on), `WQ_UNBOUND` allows the work item to be executed on any
 CPU in the same node of the CPU it was enqueued on. While this
 solution potentially sacrifices locality, it avoids contention with
 other processes that might dominate the CPU time of the processor the
 work item was scheduled on.

 This is not just a theoretical problem: in a particular scenario
 misconfigured process was hogging most of the time from CPU0, leaving
 less than 0.5% of its CPU time to the kworker. The IDPF workqueues
 that were using the kworker on CPU0 suffered large completion delays
 as a result, causing performance degradation, timeouts and eventual
 system crash.


 * I have also run a manual test to gauge the performance
   improvement. The test consists of an antagonist process
   (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This
   process is run under `taskset 01` to bind it to CPU0, and its
   priority is changed with `chrt -pQ 9900 10000 ${pid}` and
   `renice -n -20 ${pid}` after start.

   Then, the IDPF driver is forced to prefer CPU0 by editing all calls
   to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.

   Finally, `ktraces` for the workqueue events are collected.

   Without the current patch, the antagonist process can force
   arbitrary delays between `workqueue_queue_work` and
   `workqueue_execute_start`, that in my tests were as high as
   `30ms`. With the current patch applied, the workqueue can be
   migrated to another unloaded CPU in the same node, and, keeping
   everything else equal, the maximum delay I could see was `6us`.

 The Linux kernel CVE team has assigned CVE-2024-58057 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.12.13 with commit 66bf9b3d9e1658333741f075320dc8e7cd6f8d09
 	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.13.2 with commit 868202ec3854e13de1164e4a3e25521194c5af72
 	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.14 with commit 9a5b021cb8186f1854bac2812bd4f396bb1e881c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58057
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/idpf/idpf_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/66bf9b3d9e1658333741f075320dc8e7cd6f8d09
 	https://git.kernel.org/stable/c/868202ec3854e13de1164e4a3e25521194c5af72
 	https://git.kernel.org/stable/c/9a5b021cb8186f1854bac2812bd4f396bb1e881c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58057: idpf: convert workqueues to unbound

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	idpf: convert workqueues to unbound

	When a workqueue is created with `WQ_UNBOUND`, its work items are
	served by special worker-pools, whose host workers are not bound to
	any specific CPU. In the default configuration (i.e. when
	`queue_delayed_work` and friends do not specify which CPU to run the
	work item on), `WQ_UNBOUND` allows the work item to be executed on any
	CPU in the same node of the CPU it was enqueued on. While this
	solution potentially sacrifices locality, it avoids contention with
	other processes that might dominate the CPU time of the processor the
	work item was scheduled on.

	This is not just a theoretical problem: in a particular scenario
	misconfigured process was hogging most of the time from CPU0, leaving
	less than 0.5% of its CPU time to the kworker. The IDPF workqueues
	that were using the kworker on CPU0 suffered large completion delays
	as a result, causing performance degradation, timeouts and eventual
	system crash.


	* I have also run a manual test to gauge the performance
	improvement. The test consists of an antagonist process
	(`./stress --cpu 2`) consuming as much of CPU 0 as possible. This
	process is run under `taskset 01` to bind it to CPU0, and its
	priority is changed with `chrt -pQ 9900 10000 ${pid}` and
	`renice -n -20 ${pid}` after start.

	Then, the IDPF driver is forced to prefer CPU0 by editing all calls
	to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.

	Finally, `ktraces` for the workqueue events are collected.

	Without the current patch, the antagonist process can force
	arbitrary delays between `workqueue_queue_work` and
	`workqueue_execute_start`, that in my tests were as high as
	`30ms`. With the current patch applied, the workqueue can be
	migrated to another unloaded CPU in the same node, and, keeping
	everything else equal, the maximum delay I could see was `6us`.

	The Linux kernel CVE team has assigned CVE-2024-58057 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.12.13 with commit 66bf9b3d9e1658333741f075320dc8e7cd6f8d09
	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.13.2 with commit 868202ec3854e13de1164e4a3e25521194c5af72
	Issue introduced in 6.7 with commit 0fe45467a1041ea3657a7fa3a791c84c104fbd34 and fixed in 6.14 with commit 9a5b021cb8186f1854bac2812bd4f396bb1e881c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58057
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/idpf/idpf_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/66bf9b3d9e1658333741f075320dc8e7cd6f8d09
	https://git.kernel.org/stable/c/868202ec3854e13de1164e4a3e25521194c5af72
	https://git.kernel.org/stable/c/9a5b021cb8186f1854bac2812bd4f396bb1e881c