CVE-2024-50032 Information

Description

In the Linux kernel the following vulnerability has been resolved:

rcu/nocb: Fix rcuog wake-up from offline softirq

After a CPU has set itself offline and before it eventually calls rcutree_report_cpu_dead() there are still opportunities for callbacks to be enqueued for example from a softirq. When that happens on NOCB the rcuog wake-up is deferred through an IPI to an online CPU in order not to call into the scheduler and risk arming the RT-bandwidth after hrtimers have been migrated out and disabled.

But performing a synchronized IPI from a softirq is buggy as reported in the following scenario:

    WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
    Modules linked in: rcutorture torture
    CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 1
    Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
    RIP: 0010:smp_call_function_single
    <IRQ>
    swake_up_one_online
    __call_rcu_nocb_wake
    __call_rcu_common
    ? rcu_torture_one_read
    call_timer_fn
    __run_timers
    run_timer_softirq
    handle_softirqs
    irq_exit_rcu
    ? tick_handle_periodic
    sysvec_apic_timer_interrupt
    </IRQ>

Fix this with forcing deferred rcuog wake up through the NOCB timer when the CPU is offline. The actual wake up will happen from rcutree_report_cpu_dead().

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://git.kernel.org/stable/c/84a5feebba10354c683983f5f1372a144225e4c2 https://git.kernel.org/stable/c/e66b1e01f2eb3209d08122572f41f7838b79540d https://git.kernel.org/stable/c/f7345ccc62a4b880cf76458db5f320725f28e400

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5