| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-49926: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() |
| |
| For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is |
| defined as NR_CPUS instead of the number of possible cpus, this |
| will cause the following system panic: |
| |
| smpboot: Allowing 4 CPUs, 0 hotplug CPUs |
| ... |
| setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1 |
| ... |
| BUG: unable to handle page fault for address: ffffffff9911c8c8 |
| Oops: 0000 [#1] PREEMPT SMP PTI |
| CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W |
| 6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6 |
| RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0 |
| RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082 |
| CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0 |
| Call Trace: |
| <TASK> |
| ? __die+0x23/0x80 |
| ? page_fault_oops+0xa4/0x180 |
| ? exc_page_fault+0x152/0x180 |
| ? asm_exc_page_fault+0x26/0x40 |
| ? rcu_tasks_need_gpcb+0x25d/0x2c0 |
| ? __pfx_rcu_tasks_kthread+0x40/0x40 |
| rcu_tasks_one_gp+0x69/0x180 |
| rcu_tasks_kthread+0x94/0xc0 |
| kthread+0xe8/0x140 |
| ? __pfx_kthread+0x40/0x40 |
| ret_from_fork+0x34/0x80 |
| ? __pfx_kthread+0x40/0x40 |
| ret_from_fork_asm+0x1b/0x80 |
| </TASK> |
| |
| Considering that there may be holes in the CPU numbers, use the |
| maximum possible cpu number, instead of nr_cpu_ids, for configuring |
| enqueue and dequeue limits. |
| |
| [ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ] |
| |
| The Linux kernel CVE team has assigned CVE-2024-49926 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 6.6.60 with commit b3b2431ed27f4ebc28e26cdf005c1de42dc60bdf |
| Fixed in 6.10.14 with commit 3104bddc666ff64b90491868bbc4c7ebdd90aedf |
| Fixed in 6.11.3 with commit 05095271a4fb0f6497121a057f9a2edf386d5d96 |
| Fixed in 6.12 with commit fd70e9f1d85f5323096ad313ba73f5fe3d15ea41 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-49926 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/rcu/tasks.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/b3b2431ed27f4ebc28e26cdf005c1de42dc60bdf |
| https://git.kernel.org/stable/c/3104bddc666ff64b90491868bbc4c7ebdd90aedf |
| https://git.kernel.org/stable/c/05095271a4fb0f6497121a057f9a2edf386d5d96 |
| https://git.kernel.org/stable/c/fd70e9f1d85f5323096ad313ba73f5fe3d15ea41 |
