Unverified Commit 552503ce authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9400 Fix CVE-2024-31076 

Merge Pull Request from: @ci-robot 
 
PR sync from: Hongbo Li <lihongbo22@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ZIC5C6KN3WABVSEY367R62TMZK4TE3QY/ 
Backport CVE-2024-31076.

Dongli Zhang (1):
  genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IA7D8T 
 
Link:https://gitee.com/openeuler/kernel/pulls/9400

 

Reviewed-by: default avatarZhang Jianhua <chris.zjh@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 4842b09d 7d7cdabe

arch/x86/kernel/apic/vector.c

+6 −3
Original line number Diff line number Diff line
@@ -922,7 +922,8 @@ static void __send_cleanup_vector(struct apic_chip_data *apicd) 
		hlist_add_head(&apicd->clist, per_cpu_ptr(&cleanup_list, cpu));

		apic->send_IPI(cpu, IRQ_MOVE_CLEANUP_VECTOR);

	} else {

		apicd->prev_vector = 0;

		pr_warn("IRQ %u schedule cleanup for offline CPU %u\n", apicd->irq, cpu);

		free_moved_vector(apicd);

	}

	raw_spin_unlock(&vector_lock);

}
@@ -958,6 +959,7 @@ void irq_complete_move(struct irq_cfg *cfg) 
 */

void irq_force_complete_move(struct irq_desc *desc)

{

	unsigned int cpu = smp_processor_id();

	struct apic_chip_data *apicd;

	struct irq_data *irqd;

	unsigned int vector;
@@ -982,10 +984,11 @@ void irq_force_complete_move(struct irq_desc *desc) 
		goto unlock;



	/*

	 * If prev_vector is empty, no action required.

	 * If prev_vector is empty or the descriptor is neither currently

	 * nor previously on the outgoing CPU no action required.

	 */

	vector = apicd->prev_vector;

	if (!vector)

	if (!vector || (apicd->cpu != cpu && apicd->prev_cpu != cpu))

		goto unlock;



	/*

kernel/irq/cpuhotplug.c

+8 −8
Original line number Diff line number Diff line
@@ -68,6 +68,14 @@ static bool migrate_one_irq(struct irq_desc *desc) 
		return false;

	}



	/*

	 * Complete an eventually pending irq move cleanup. If this

	 * interrupt was moved in hard irq context, then the vectors need

	 * to be cleaned up. It can't wait until this interrupt actually

	 * happens and this CPU was involved.

	 */

	irq_force_complete_move(desc);



	/*

	 * No move required, if:

	 * - Interrupt is per cpu
@@ -86,14 +94,6 @@ static bool migrate_one_irq(struct irq_desc *desc) 
		return false;

	}



	/*

	 * Complete an eventually pending irq move cleanup. If this

	 * interrupt was moved in hard irq context, then the vectors need

	 * to be cleaned up. It can't wait until this interrupt actually

	 * happens and this CPU was involved.

	 */

	irq_force_complete_move(desc);



	/*

	 * If there is a setaffinity pending, then try to reuse the pending

	 * mask, so the last change of the affinity does not get lost. If