CVE-2024-36936

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> efi/unaccepted: touch soft lockup during memory accept<br /> <br /> Commit 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused by<br /> parallel memory acceptance") has released the spinlock so other CPUs can<br /> do memory acceptance in parallel and not triggers softlockup on other<br /> CPUs.<br /> <br /> However the softlock up was intermittent shown up if the memory of the<br /> TD guest is large, and the timeout of softlockup is set to 1 second:<br /> <br /> RIP: 0010:_raw_spin_unlock_irqrestore<br /> Call Trace:<br /> ? __hrtimer_run_queues<br /> <br /> ? hrtimer_interrupt<br /> ? watchdog_timer_fn<br /> ? __sysvec_apic_timer_interrupt<br /> ? __pfx_watchdog_timer_fn<br /> ? sysvec_apic_timer_interrupt<br /> <br /> ? __hrtimer_run_queues<br /> <br /> ? hrtimer_interrupt<br /> ? asm_sysvec_apic_timer_interrupt<br /> ? _raw_spin_unlock_irqrestore<br /> ? __sysvec_apic_timer_interrupt<br /> ? sysvec_apic_timer_interrupt<br /> accept_memory<br /> try_to_accept_memory<br /> do_huge_pmd_anonymous_page<br /> get_page_from_freelist<br /> __handle_mm_fault<br /> __alloc_pages<br /> __folio_alloc<br /> ? __tdx_hypercall<br /> handle_mm_fault<br /> vma_alloc_folio<br /> do_user_addr_fault<br /> do_huge_pmd_anonymous_page<br /> exc_page_fault<br /> ? __do_huge_pmd_anonymous_page<br /> asm_exc_page_fault<br /> __handle_mm_fault<br /> <br /> When the local irq is enabled at the end of accept_memory(), the<br /> softlockup detects that the watchdog on single CPU has not been fed for<br /> a while. That is to say, even other CPUs will not be blocked by<br /> spinlock, the current CPU might be stunk with local irq disabled for a<br /> while, which hurts not only nmi watchdog but also softlockup.<br /> <br /> Chao Gao pointed out that the memory accept could be time costly and<br /> there was similar report before. Thus to avoid any softlocup detection<br /> during this stage, give the softlockup a flag to skip the timeout check<br /> at the end of accept_memory(), by invoking touch_softlockup_watchdog().