CVE-2021-47454

Summary

In the Linux kernel, the following vulnerability has been resolved:

powerpc/smp: do not decrement idle task preempt count in CPU offline

With PREEMPT_COUNT=y, when a CPU is offlined and then onlined again, we get:

BUG: scheduling while atomic: swapper/1/0/0x00000000 no locks held by swapper/1/0. CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.0-rc2+ #100 Call Trace: dump_stack_lvl+0xac/0x108 __schedule_bug+0xac/0xe0 __schedule+0xcf8/0x10d0 schedule_idle+0x3c/0x70 do_idle+0x2d8/0x4a0 cpu_startup_entry+0x38/0x40 start_secondary+0x2ec/0x3a0 start_secondary_prolog+0x10/0x14

This is because powerpc's arch_cpu_idle_dead() decrements the idle task's preempt count, for reasons explained in commit a7c2bb8279d2 ("powerpc: Re-enable preemption before cpu_die()"), specifically "start_secondary() expects a preempt_count() of 0."

However, since commit 2c669ef6979c ("powerpc/preempt: Don't touch the idle task's preempt_count during hotplug") and commit f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled"), that justification no longer holds.

The idle task isn't supposed to re-enable preemption, so remove the vestigial preempt_enable() from the CPU offline path.

Tested with pseries and powernv in qemu, and pseries on PowerVM.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbdf4d33e8342b90386156204e1da0cdfdb4bf146 < 53770a411559cf7bc0906d1df319cc533d2f4f58affected
LinuxLinux2c669ef6979c370f98d4b876e54f19613c81e075 < 3ea0b497a7a2fff6a4b7090310c9f52c91975934affected
LinuxLinux2c669ef6979c370f98d4b876e54f19613c81e075 < 787252a10d9422f3058df9a4821f389e5326c440affected
LinuxLinux2b6148ef2bd6d8ddc76e7873114f7769b6aa25f0affected
LinuxLinux20a015e948b825afb47855de2efce7cae7c2608faffected
LinuxLinux5.10.50 < 5.10.76affected
LinuxLinux5.12.17 < 5.13affected
LinuxLinux5.13.2 < 5.14affected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux5.10.76 <= 5.10.*unaffected
LinuxLinux5.14.15 <= 5.14.*unaffected
LinuxLinux5.15 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References