CVE-2025-68780

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/deadline: only set free_cpus for online runqueues<br /> <br /> Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus<br /> to reflect rd-&gt;online") introduced the cpudl_set/clear_freecpu<br /> functions to allow the cpu_dl::free_cpus mask to be manipulated<br /> by the deadline scheduler class rq_on/offline callbacks so the<br /> mask would also reflect this state.<br /> <br /> Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask<br /> from cpudl_find()") removed the check of the cpu_active_mask to<br /> save some processing on the premise that the cpudl::free_cpus<br /> mask already reflected the runqueue online state.<br /> <br /> Unfortunately, there are cases where it is possible for the<br /> cpudl_clear function to set the free_cpus bit for a CPU when the<br /> deadline runqueue is offline. When this occurs while a CPU is<br /> connected to the default root domain the flag may retain the bad<br /> state after the CPU has been unplugged. Later, a different CPU<br /> that is transitioning through the default root domain may push a<br /> deadline task to the powered down CPU when cpudl_find sees its<br /> free_cpus bit is set. If this happens the task will not have the<br /> opportunity to run.<br /> <br /> One example is outlined here:<br /> https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com<br /> <br /> Another occurs when the last deadline task is migrated from a<br /> CPU that has an offlined runqueue. The dequeue_task member of<br /> the deadline scheduler class will eventually call cpudl_clear<br /> and set the free_cpus bit for the CPU.<br /> <br /> This commit modifies the cpudl_clear function to be aware of the<br /> online state of the deadline runqueue so that the free_cpus mask<br /> can be updated appropriately.<br /> <br /> It is no longer necessary to manage the mask outside of the<br /> cpudl_set/clear functions so the cpudl_set/clear_freecpu<br /> functions are removed. In addition, since the free_cpus mask is<br /> now only updated under the cpudl lock the code was changed to<br /> use the non-atomic __cpumask functions.