CVE-2024-31076

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline<br /> <br /> The absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of<br /> interrupt affinity reconfiguration via procfs. Instead, the change is<br /> deferred until the next instance of the interrupt being triggered on the<br /> original CPU.<br /> <br /> When the interrupt next triggers on the original CPU, the new affinity is<br /> enforced within __irq_move_irq(). A vector is allocated from the new CPU,<br /> but the old vector on the original CPU remains and is not immediately<br /> reclaimed. Instead, apicd-&gt;move_in_progress is flagged, and the reclaiming<br /> process is delayed until the next trigger of the interrupt on the new CPU.<br /> <br /> Upon the subsequent triggering of the interrupt on the new CPU,<br /> irq_complete_move() adds a task to the old CPU&amp;#39;s vector_cleanup list if it<br /> remains online. Subsequently, the timer on the old CPU iterates over its<br /> vector_cleanup list, reclaiming old vectors.<br /> <br /> However, a rare scenario arises if the old CPU is outgoing before the<br /> interrupt triggers again on the new CPU.<br /> <br /> In that case irq_force_complete_move() is not invoked on the outgoing CPU<br /> to reclaim the old apicd-&gt;prev_vector because the interrupt isn&amp;#39;t currently<br /> affine to the outgoing CPU, and irq_needs_fixup() returns false. Even<br /> though __vector_schedule_cleanup() is later called on the new CPU, it<br /> doesn&amp;#39;t reclaim apicd-&gt;prev_vector; instead, it simply resets both<br /> apicd-&gt;move_in_progress and apicd-&gt;prev_vector to 0.<br /> <br /> As a result, the vector remains unreclaimed in vector_matrix, leading to a<br /> CPU vector leak.<br /> <br /> To address this issue, move the invocation of irq_force_complete_move()<br /> before the irq_needs_fixup() call to reclaim apicd-&gt;prev_vector, if the<br /> interrupt is currently or used to be affine to the outgoing CPU.<br /> <br /> Additionally, reclaim the vector in __vector_schedule_cleanup() as well,<br /> following a warning message, although theoretically it should never see<br /> apicd-&gt;move_in_progress with apicd-&gt;prev_cpu pointing to an offline CPU.