In the Linux kernel, the following vulnerability has been resolved:
cpu/hotplug: Don't offline the last non-isolated CPU
If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARNON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partitionscheddomainslocked().
cpusethotplugworkfn() rebuildscheddomainslocked() ndoms = generatescheddomains(&doms, &attr); cpumaskand(doms[0], topcpuset.effectivecpus, housekeepingcpumask(HKFLAG_DOMAIN));
Thus results in an empty CPU mask which triggers the warning and then the subsequent crash:
WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 buildscheddomains+0x120c/0x1408 Call trace: buildscheddomains+0x120c/0x1408 partitionscheddomainslocked+0x234/0x880 rebuildscheddomainslocked+0x37c/0x798 rebuildscheddomains+0x30/0x58 cpusethotplugworkfn+0x2a8/0x930
Unable to handle kernel paging request at virtual address fffe80027ab37080 partitionscheddomainslocked+0x318/0x880 rebuildscheddomainslocked+0x37c/0x798
Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU.
Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@335a47ed71e332c82339d1aec0c7f6caccfcda13", "signature_version": "v1", "target": { "file": "kernel/cpu.c", "function": "cpu_down_maps_locked" }, "digest": { "length": 382.0, "function_hash": "32750297532046143082667419405412931529" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2023-52831-3cfc1c3f" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@335a47ed71e332c82339d1aec0c7f6caccfcda13", "signature_version": "v1", "target": { "file": "kernel/cpu.c" }, "digest": { "line_hashes": [ "275525296090427917762070371268208410415", "293868000064509335204489661738084766493", "227194529391085159631444808028878409286", "220709967637872615030618425245212723990", "97901852111408982101212454540645207350", "151629478744619521883246640431588623364", "78670304331220954209805594445213108851" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "id": "CVE-2023-52831-aa1b0a75" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3410b702354702b500bde10e3cc1f9db8731d908", "signature_version": "v1", "target": { "file": "kernel/cpu.c" }, "digest": { "line_hashes": [ "275525296090427917762070371268208410415", "293868000064509335204489661738084766493", "227194529391085159631444808028878409286", "220709967637872615030618425245212723990", "97901852111408982101212454540645207350", "151629478744619521883246640431588623364", "78670304331220954209805594445213108851" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "id": "CVE-2023-52831-ca23e276" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3410b702354702b500bde10e3cc1f9db8731d908", "signature_version": "v1", "target": { "file": "kernel/cpu.c", "function": "cpu_down_maps_locked" }, "digest": { "length": 382.0, "function_hash": "32750297532046143082667419405412931529" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2023-52831-d2a8c0ef" } ]