cve/published/2024/CVE-2024-58090.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58090: sched/core: Prevent rescheduling when interrupts are disabled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched/core: Prevent rescheduling when interrupts are disabled

 David reported a warning observed while loop testing kexec jump:

   Interrupts enabled after irqrouter_resume+0x0/0x50
   WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220
    kernel_kexec+0xf6/0x180
    __do_sys_reboot+0x206/0x250
    do_syscall_64+0x95/0x180

 The corresponding interrupt flag trace:

   hardirqs last  enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90
   hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90

 That means __up_console_sem() was invoked with interrupts enabled. Further
 instrumentation revealed that in the interrupt disabled section of kexec
 jump one of the syscore_suspend() callbacks woke up a task, which set the
 NEED_RESCHED flag. A later callback in the resume path invoked
 cond_resched() which in turn led to the invocation of the scheduler:

   __cond_resched+0x21/0x60
   down_timeout+0x18/0x60
   acpi_os_wait_semaphore+0x4c/0x80
   acpi_ut_acquire_mutex+0x3d/0x100
   acpi_ns_get_node+0x27/0x60
   acpi_ns_evaluate+0x1cb/0x2d0
   acpi_rs_set_srs_method_data+0x156/0x190
   acpi_pci_link_set+0x11c/0x290
   irqrouter_resume+0x54/0x60
   syscore_resume+0x6a/0x200
   kernel_kexec+0x145/0x1c0
   __do_sys_reboot+0xeb/0x240
   do_syscall_64+0x95/0x180

 This is a long standing problem, which probably got more visible with
 the recent printk changes. Something does a task wakeup and the
 scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and
 invokes schedule() from a completely bogus context. The scheduler
 enables interrupts after context switching, which causes the above
 warning at the end.

 Quite some of the code paths in syscore_suspend()/resume() can result in
 triggering a wakeup with the exactly same consequences. They might not
 have done so yet, but as they share a lot of code with normal operations
 it's just a question of time.

 The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling
 models. Full preemption is not affected as cond_resched() is disabled and
 the preemption check preemptible() takes the interrupt disabled flag into
 account.

 Cure the problem by adding a corresponding check into cond_resched().

 The Linux kernel CVE team has assigned CVE-2024-58090 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.291 with commit 321794b75ac968f0bb6b9c913581949452a8d992
 	Fixed in 5.10.235 with commit 1651f5731b378616565534eb9cda30e258cebebc
 	Fixed in 5.15.179 with commit 288fdb8dcb71ec77b76ab8b8a06bc10f595ea504
 	Fixed in 6.1.130 with commit 84586322e010164eedddfcd0a0894206ae7d9317
 	Fixed in 6.6.81 with commit 68786ab0935ccd5721283b7eb7f4d2f2942c7a52
 	Fixed in 6.12.18 with commit 0362847c520747b44b574d363705d8af0621727a
 	Fixed in 6.13.6 with commit b927c8539f692fb1f9c2f42e6c8ea2d94956f921
 	Fixed in 6.14 with commit 82c387ef7568c0d96a918a5a78d9cad6256cfa15

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58090
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/sched/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/321794b75ac968f0bb6b9c913581949452a8d992
 	https://git.kernel.org/stable/c/1651f5731b378616565534eb9cda30e258cebebc
 	https://git.kernel.org/stable/c/288fdb8dcb71ec77b76ab8b8a06bc10f595ea504
 	https://git.kernel.org/stable/c/84586322e010164eedddfcd0a0894206ae7d9317
 	https://git.kernel.org/stable/c/68786ab0935ccd5721283b7eb7f4d2f2942c7a52
 	https://git.kernel.org/stable/c/0362847c520747b44b574d363705d8af0621727a
 	https://git.kernel.org/stable/c/b927c8539f692fb1f9c2f42e6c8ea2d94956f921
 	https://git.kernel.org/stable/c/82c387ef7568c0d96a918a5a78d9cad6256cfa15
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58090: sched/core: Prevent rescheduling when interrupts are disabled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched/core: Prevent rescheduling when interrupts are disabled

	David reported a warning observed while loop testing kexec jump:

	Interrupts enabled after irqrouter_resume+0x0/0x50
	WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220
	kernel_kexec+0xf6/0x180
	__do_sys_reboot+0x206/0x250
	do_syscall_64+0x95/0x180

	The corresponding interrupt flag trace:

	hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90
	hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90

	That means __up_console_sem() was invoked with interrupts enabled. Further
	instrumentation revealed that in the interrupt disabled section of kexec
	jump one of the syscore_suspend() callbacks woke up a task, which set the
	NEED_RESCHED flag. A later callback in the resume path invoked
	cond_resched() which in turn led to the invocation of the scheduler:

	__cond_resched+0x21/0x60
	down_timeout+0x18/0x60
	acpi_os_wait_semaphore+0x4c/0x80
	acpi_ut_acquire_mutex+0x3d/0x100
	acpi_ns_get_node+0x27/0x60
	acpi_ns_evaluate+0x1cb/0x2d0
	acpi_rs_set_srs_method_data+0x156/0x190
	acpi_pci_link_set+0x11c/0x290
	irqrouter_resume+0x54/0x60
	syscore_resume+0x6a/0x200
	kernel_kexec+0x145/0x1c0
	__do_sys_reboot+0xeb/0x240
	do_syscall_64+0x95/0x180

	This is a long standing problem, which probably got more visible with
	the recent printk changes. Something does a task wakeup and the
	scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and
	invokes schedule() from a completely bogus context. The scheduler
	enables interrupts after context switching, which causes the above
	warning at the end.

	Quite some of the code paths in syscore_suspend()/resume() can result in
	triggering a wakeup with the exactly same consequences. They might not
	have done so yet, but as they share a lot of code with normal operations
	it's just a question of time.

	The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling
	models. Full preemption is not affected as cond_resched() is disabled and
	the preemption check preemptible() takes the interrupt disabled flag into
	account.

	Cure the problem by adding a corresponding check into cond_resched().

	The Linux kernel CVE team has assigned CVE-2024-58090 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.291 with commit 321794b75ac968f0bb6b9c913581949452a8d992
	Fixed in 5.10.235 with commit 1651f5731b378616565534eb9cda30e258cebebc
	Fixed in 5.15.179 with commit 288fdb8dcb71ec77b76ab8b8a06bc10f595ea504
	Fixed in 6.1.130 with commit 84586322e010164eedddfcd0a0894206ae7d9317
	Fixed in 6.6.81 with commit 68786ab0935ccd5721283b7eb7f4d2f2942c7a52
	Fixed in 6.12.18 with commit 0362847c520747b44b574d363705d8af0621727a
	Fixed in 6.13.6 with commit b927c8539f692fb1f9c2f42e6c8ea2d94956f921
	Fixed in 6.14 with commit 82c387ef7568c0d96a918a5a78d9cad6256cfa15

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58090
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/sched/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/321794b75ac968f0bb6b9c913581949452a8d992
	https://git.kernel.org/stable/c/1651f5731b378616565534eb9cda30e258cebebc
	https://git.kernel.org/stable/c/288fdb8dcb71ec77b76ab8b8a06bc10f595ea504
	https://git.kernel.org/stable/c/84586322e010164eedddfcd0a0894206ae7d9317
	https://git.kernel.org/stable/c/68786ab0935ccd5721283b7eb7f4d2f2942c7a52
	https://git.kernel.org/stable/c/0362847c520747b44b574d363705d8af0621727a
	https://git.kernel.org/stable/c/b927c8539f692fb1f9c2f42e6c8ea2d94956f921
	https://git.kernel.org/stable/c/82c387ef7568c0d96a918a5a78d9cad6256cfa15