CVE-2022-50103

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched, cpuset: Fix dl_cpu_busy() panic due to empty cs-&gt;cpus_allowed<br /> <br /> With cgroup v2, the cpuset&amp;#39;s cpus_allowed mask can be empty indicating<br /> that the cpuset will just use the effective CPUs of its parent. So<br /> cpuset_can_attach() can call task_can_attach() with an empty mask.<br /> This can lead to cpumask_any_and() returns nr_cpu_ids causing the call<br /> to dl_bw_of() to crash due to percpu value access of an out of bound<br /> CPU value. For example:<br /> <br /> [80468.182258] BUG: unable to handle page fault for address: ffffffff8b6648b0<br /> :<br /> [80468.191019] RIP: 0010:dl_cpu_busy+0x30/0x2b0<br /> :<br /> [80468.207946] Call Trace:<br /> [80468.208947] cpuset_can_attach+0xa0/0x140<br /> [80468.209953] cgroup_migrate_execute+0x8c/0x490<br /> [80468.210931] cgroup_update_dfl_csses+0x254/0x270<br /> [80468.211898] cgroup_subtree_control_write+0x322/0x400<br /> [80468.212854] kernfs_fop_write_iter+0x11c/0x1b0<br /> [80468.213777] new_sync_write+0x11f/0x1b0<br /> [80468.214689] vfs_write+0x1eb/0x280<br /> [80468.215592] ksys_write+0x5f/0xe0<br /> [80468.216463] do_syscall_64+0x5c/0x80<br /> [80468.224287] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Fix that by using effective_cpus instead. For cgroup v1, effective_cpus<br /> is the same as cpus_allowed. For v2, effective_cpus is the real cpumask<br /> to be used by tasks within the cpuset anyway.<br /> <br /> Also update task_can_attach()&amp;#39;s 2nd argument name to cs_effective_cpus to<br /> reflect the change. In addition, a check is added to task_can_attach()<br /> to guard against the possibility that cpumask_any_and() may return a<br /> value &gt;= nr_cpu_ids.