CVE-2024-44975

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup/cpuset: fix panic caused by partcmd_update<br /> <br /> We find a bug as below:<br /> BUG: unable to handle page fault for address: 00000003<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4<br /> RIP: 0010:partition_sched_domains_locked+0x483/0x600<br /> Code: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9<br /> RSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202<br /> RAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80<br /> RBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000<br /> R10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002<br /> R13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0<br /> Call Trace:<br /> <br /> ? show_regs+0x8c/0xa0<br /> ? __die_body+0x23/0xa0<br /> ? __die+0x3a/0x50<br /> ? page_fault_oops+0x1d2/0x5c0<br /> ? partition_sched_domains_locked+0x483/0x600<br /> ? search_module_extables+0x2a/0xb0<br /> ? search_exception_tables+0x67/0x90<br /> ? kernelmode_fixup_or_oops+0x144/0x1b0<br /> ? __bad_area_nosemaphore+0x211/0x360<br /> ? up_read+0x3b/0x50<br /> ? bad_area_nosemaphore+0x1a/0x30<br /> ? exc_page_fault+0x890/0xd90<br /> ? __lock_acquire.constprop.0+0x24f/0x8d0<br /> ? __lock_acquire.constprop.0+0x24f/0x8d0<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? partition_sched_domains_locked+0x483/0x600<br /> ? partition_sched_domains_locked+0xf0/0x600<br /> rebuild_sched_domains_locked+0x806/0xdc0<br /> update_partition_sd_lb+0x118/0x130<br /> cpuset_write_resmask+0xffc/0x1420<br /> cgroup_file_write+0xb2/0x290<br /> kernfs_fop_write_iter+0x194/0x290<br /> new_sync_write+0xeb/0x160<br /> vfs_write+0x16f/0x1d0<br /> ksys_write+0x81/0x180<br /> __x64_sys_write+0x21/0x30<br /> x64_sys_call+0x2f25/0x4630<br /> do_syscall_64+0x44/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x78/0xe2<br /> RIP: 0033:0x7f44a553c887<br /> <br /> It can be reproduced with cammands:<br /> cd /sys/fs/cgroup/<br /> mkdir test<br /> cd test/<br /> echo +cpuset &gt; ../cgroup.subtree_control<br /> echo root &gt; cpuset.cpus.partition<br /> cat /sys/fs/cgroup/cpuset.cpus.effective<br /> 0-3<br /> echo 0-3 &gt; cpuset.cpus // taking away all cpus from root<br /> <br /> This issue is caused by the incorrect rebuilding of scheduling domains.<br /> In this scenario, test/cpuset.cpus.partition should be an invalid root<br /> and should not trigger the rebuilding of scheduling domains. When calling<br /> update_parent_effective_cpumask with partcmd_update, if newmask is not<br /> null, it should recheck newmask whether there are cpus is available<br /> for parect/cs that has tasks.