CVE-2022-50177

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcutorture: Fix ksoftirqd boosting timing and iteration<br /> <br /> The RCU priority boosting can fail in two situations:<br /> <br /> 1) If (nr_cpus= &gt; maxcpus=), which means if the total number of CPUs<br /> is higher than those brought online at boot, then torture_onoff() may<br /> later bring up CPUs that weren&amp;#39;t online on boot. Now since rcutorture<br /> initialization only boosts the ksoftirqds of the CPUs that have been<br /> set online on boot, the CPUs later set online by torture_onoff won&amp;#39;t<br /> benefit from the boost, making RCU priority boosting fail.<br /> <br /> 2) The ksoftirqd kthreads are boosted after the creation of<br /> rcu_torture_boost() kthreads, which opens a window large enough for these<br /> rcu_torture_boost() kthreads to wait (despite running at FIFO priority)<br /> for ksoftirqds that are still running at SCHED_NORMAL priority.<br /> <br /> The issues can trigger for example with:<br /> <br /> ./kvm.sh --configs TREE01 --kconfig "CONFIG_RCU_BOOST=y"<br /> <br /> [ 34.968561] rcu-torture: !!!<br /> [ 34.968627] ------------[ cut here ]------------<br /> [ 35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610<br /> [ 35.052043] Modules linked in:<br /> [ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1<br /> [ 35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014<br /> [ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610<br /> [ 35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82<br /> [ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202<br /> [ 37.277320] rcu: De-offloading 8<br /> [ 37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001<br /> [ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff<br /> [ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff<br /> [ 37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20<br /> [ 37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0<br /> [ 37.290427] FS: 0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000<br /> [ 37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0<br /> [ 37.290470] Call Trace:<br /> [ 37.295049] <br /> [ 37.295065] ? preempt_count_add+0x63/0x90<br /> [ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40<br /> [ 37.295125] ? rcu_torture_stats_print+0x610/0x610<br /> [ 37.295143] rcu_torture_stats+0x29/0x70<br /> [ 37.295160] kthread+0xe3/0x110<br /> [ 37.295176] ? kthread_complete_and_exit+0x20/0x20<br /> [ 37.295193] ret_from_fork+0x22/0x30<br /> [ 37.295218] <br /> <br /> Fix this with boosting the ksoftirqds kthreads from the boosting<br /> hotplug callback itself and before the boosting kthreads are created.