cve/published/2024/CVE-2024-57891.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57891: sched_ext: Fix invalid irq restore in scx_ops_bypass()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched_ext: Fix invalid irq restore in scx_ops_bypass()

 While adding outer irqsave/restore locking, 0e7ffff1b811 ("scx: Fix raciness
 in scx_ops_bypass()") forgot to convert an inner rq_unlock_irqrestore() to
 rq_unlock() which could re-enable IRQ prematurely leading to the following
 warning:

   raw_local_irq_restore() called with IRQs enabled
   WARNING: CPU: 1 PID: 96 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
   ...
   Sched_ext: create_dsq (enabling)
   pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   pc : warn_bogus_irq_restore+0x30/0x40
   lr : warn_bogus_irq_restore+0x30/0x40
   ...
   Call trace:
    warn_bogus_irq_restore+0x30/0x40 (P)
    warn_bogus_irq_restore+0x30/0x40 (L)
    scx_ops_bypass+0x224/0x3b8
    scx_ops_enable.isra.0+0x2c8/0xaa8
    bpf_scx_reg+0x18/0x30
   ...
   irq event stamp: 33739
   hardirqs last  enabled at (33739): [<ffff8000800b699c>] scx_ops_bypass+0x174/0x3b8
   hardirqs last disabled at (33738): [<ffff800080d48ad4>] _raw_spin_lock_irqsave+0xb4/0xd8

 Drop the stray _irqrestore().

 The Linux kernel CVE team has assigned CVE-2024-57891 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.12 with commit 0e7ffff1b8117b05635c87d3c9099f6aa9c9b689 and fixed in 6.12.9 with commit 786362ce60d79967875f43e0ba55ad7a5376c133
 	Issue introduced in 6.12 with commit 0e7ffff1b8117b05635c87d3c9099f6aa9c9b689 and fixed in 6.13 with commit 18b2093f4598d8ee67a8153badc93f0fa7686b8a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57891
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/sched/ext.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/786362ce60d79967875f43e0ba55ad7a5376c133
 	https://git.kernel.org/stable/c/18b2093f4598d8ee67a8153badc93f0fa7686b8a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57891: sched_ext: Fix invalid irq restore in scx_ops_bypass()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched_ext: Fix invalid irq restore in scx_ops_bypass()

	While adding outer irqsave/restore locking, 0e7ffff1b811 ("scx: Fix raciness
	in scx_ops_bypass()") forgot to convert an inner rq_unlock_irqrestore() to
	rq_unlock() which could re-enable IRQ prematurely leading to the following
	warning:

	raw_local_irq_restore() called with IRQs enabled
	WARNING: CPU: 1 PID: 96 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
	...
	Sched_ext: create_dsq (enabling)
	pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : warn_bogus_irq_restore+0x30/0x40
	lr : warn_bogus_irq_restore+0x30/0x40
	...
	Call trace:
	warn_bogus_irq_restore+0x30/0x40 (P)
	warn_bogus_irq_restore+0x30/0x40 (L)
	scx_ops_bypass+0x224/0x3b8
	scx_ops_enable.isra.0+0x2c8/0xaa8
	bpf_scx_reg+0x18/0x30
	...
	irq event stamp: 33739
	hardirqs last enabled at (33739): [<ffff8000800b699c>] scx_ops_bypass+0x174/0x3b8
	hardirqs last disabled at (33738): [<ffff800080d48ad4>] _raw_spin_lock_irqsave+0xb4/0xd8

	Drop the stray _irqrestore().

	The Linux kernel CVE team has assigned CVE-2024-57891 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.12 with commit 0e7ffff1b8117b05635c87d3c9099f6aa9c9b689 and fixed in 6.12.9 with commit 786362ce60d79967875f43e0ba55ad7a5376c133
	Issue introduced in 6.12 with commit 0e7ffff1b8117b05635c87d3c9099f6aa9c9b689 and fixed in 6.13 with commit 18b2093f4598d8ee67a8153badc93f0fa7686b8a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57891
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/sched/ext.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/786362ce60d79967875f43e0ba55ad7a5376c133
	https://git.kernel.org/stable/c/18b2093f4598d8ee67a8153badc93f0fa7686b8a