CVE-2024-36888

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: Fix selection of wake_cpu in kick_pool()<br /> <br /> With cpu_possible_mask=0-63 and cpu_online_mask=0-7 the following<br /> kernel oops was observed:<br /> <br /> smp: Bringing up secondary CPUs ...<br /> smp: Brought up 1 node, 8 CPUs<br /> Unable to handle kernel pointer dereference in virtual kernel address space<br /> Failing address: 0000000000000000 TEID: 0000000000000803<br /> [..]<br /> Call Trace:<br /> arch_vcpu_is_preempted+0x12/0x80<br /> select_idle_sibling+0x42/0x560<br /> select_task_rq_fair+0x29a/0x3b0<br /> try_to_wake_up+0x38e/0x6e0<br /> kick_pool+0xa4/0x198<br /> __queue_work.part.0+0x2bc/0x3a8<br /> call_timer_fn+0x36/0x160<br /> __run_timers+0x1e2/0x328<br /> __run_timer_base+0x5a/0x88<br /> run_timer_softirq+0x40/0x78<br /> __do_softirq+0x118/0x388<br /> irq_exit_rcu+0xc0/0xd8<br /> do_ext_irq+0xae/0x168<br /> ext_int_handler+0xbe/0xf0<br /> psw_idle_exit+0x0/0xc<br /> default_idle_call+0x3c/0x110<br /> do_idle+0xd4/0x158<br /> cpu_startup_entry+0x40/0x48<br /> rest_init+0xc6/0xc8<br /> start_kernel+0x3c4/0x5e0<br /> startup_continue+0x3c/0x50<br /> <br /> The crash is caused by calling arch_vcpu_is_preempted() for an offline<br /> CPU. To avoid this, select the cpu with cpumask_any_and_distribute()<br /> to mask __pod_cpumask with cpu_online_mask. In case no cpu is left in<br /> the pool, skip the assignment.<br /> <br /> tj: This doesn&amp;#39;t fully fix the bug as CPUs can still go down between picking<br /> the target CPU and the wake call. Fixing that likely requires adding<br /> cpu_online() test to either the sched or s390 arch code. However, regardless<br /> of how that is fixed, workqueue shouldn&amp;#39;t be picking a CPU which isn&amp;#39;t<br /> online as that would result in unpredictable and worse behavior.