CVE-2024-58090

Summary

In the Linux kernel, the following vulnerability has been resolved:

sched/core: Prevent rescheduling when interrupts are disabled

David reported a warning observed while loop testing kexec jump:

Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180

The corresponding interrupt flag trace:

hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90

That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler:

__cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180

This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end.

Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time.

The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account.

Cure the problem by adding a corresponding check into cond_resched().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 321794b75ac968f0bb6b9c913581949452a8d992affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1651f5731b378616565534eb9cda30e258cebebcaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 288fdb8dcb71ec77b76ab8b8a06bc10f595ea504affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 84586322e010164eedddfcd0a0894206ae7d9317affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 68786ab0935ccd5721283b7eb7f4d2f2942c7a52affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0362847c520747b44b574d363705d8af0621727aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b927c8539f692fb1f9c2f42e6c8ea2d94956f921affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 82c387ef7568c0d96a918a5a78d9cad6256cfa15affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.4.291 <= 5.4.*unaffected
LinuxLinux5.10.235 <= 5.10.*unaffected
LinuxLinux5.15.179 <= 5.15.*unaffected
LinuxLinux6.1.130 <= 6.1.*unaffected
LinuxLinux6.6.81 <= 6.6.*unaffected
LinuxLinux6.12.18 <= 6.12.*unaffected
LinuxLinux6.13.6 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References