In the Linux kernel, the following vulnerability has been resolved:
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next instance of the interrupt being triggered on the original CPU.
When the interrupt next triggers on the original CPU, the new affinity is enforced within _irqmoveirq(). A vector is allocated from the new CPU, but the old vector on the original CPU remains and is not immediately reclaimed. Instead, apicd->movein_progress is flagged, and the reclaiming process is delayed until the next trigger of the interrupt on the new CPU.
Upon the subsequent triggering of the interrupt on the new CPU, irqcompletemove() adds a task to the old CPU's vectorcleanup list if it remains online. Subsequently, the timer on the old CPU iterates over its vectorcleanup list, reclaiming old vectors.
However, a rare scenario arises if the old CPU is outgoing before the interrupt triggers again on the new CPU.
In that case irqforcecompletemove() is not invoked on the outgoing CPU to reclaim the old apicd->prevvector because the interrupt isn't currently affine to the outgoing CPU, and irqneedsfixup() returns false. Even though _vectorschedulecleanup() is later called on the new CPU, it doesn't reclaim apicd->prevvector; instead, it simply resets both apicd->moveinprogress and apicd->prev_vector to 0.
As a result, the vector remains unreclaimed in vector_matrix, leading to a CPU vector leak.
To address this issue, move the invocation of irqforcecompletemove() before the irqneedsfixup() call to reclaim apicd->prevvector, if the interrupt is currently or used to be affine to the outgoing CPU.
Additionally, reclaim the vector in _vectorschedulecleanup() as well, following a warning message, although theoretically it should never see apicd->moveinprogress with apicd->prevcpu pointing to an offline CPU.
{ "vanir_signatures": [ { "id": "CVE-2024-31076-0a6a603e", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" }, { "id": "CVE-2024-31076-0c73ecf5", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "204713816413045550248008708695041004373", "135959072954375350481608975976499625280", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "50068065449318253708935212960478448645", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" }, { "id": "CVE-2024-31076-264dfdde", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebfb16fc057a016abb46a9720a54abf0d4f6abe1" }, { "id": "CVE-2024-31076-29570e24", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1280.0, "function_hash": "45316989293960365756559701927586621996" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" }, { "id": "CVE-2024-31076-2aeac938", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9c96d01d520498b169ce734a8ad1142bef86a30" }, { "id": "CVE-2024-31076-3b2cad8f", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__send_cleanup_vector" }, "signature_version": "v1", "digest": { "length": 365.0, "function_hash": "73225018489974448995886302266026554800" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9c96d01d520498b169ce734a8ad1142bef86a30" }, { "id": "CVE-2024-31076-47da3508", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" }, { "id": "CVE-2024-31076-527b0ecf", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__vector_schedule_cleanup" }, "signature_version": "v1", "digest": { "length": 454.0, "function_hash": "333067104325803423984019512474039434183" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59f86a2908380d09cdc726461c0fbb8d8579c99f" }, { "id": "CVE-2024-31076-5e28805a", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1016.0, "function_hash": "167195146398766891773910542909241652312" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59f86a2908380d09cdc726461c0fbb8d8579c99f" }, { "id": "CVE-2024-31076-63646cdb", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "89201603026065687071328023840424829577", "2923924187129157542280536475256245936", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "199381158367609811086544266263453755275", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5f4675960609d8c5ee95f027fbf6ce380f98372" }, { "id": "CVE-2024-31076-6748c7fa", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1016.0, "function_hash": "167195146398766891773910542909241652312" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebfb16fc057a016abb46a9720a54abf0d4f6abe1" }, { "id": "CVE-2024-31076-78d330bc", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59f86a2908380d09cdc726461c0fbb8d8579c99f" }, { "id": "CVE-2024-31076-7de2c95c", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9eeda3e0071a329af1eba15f4e57dc39576bb420" }, { "id": "CVE-2024-31076-82b4e019", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "89201603026065687071328023840424829577", "2923924187129157542280536475256245936", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "202607050077924789943990542776456410675", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9eeda3e0071a329af1eba15f4e57dc39576bb420" }, { "id": "CVE-2024-31076-8d3f5855", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "89201603026065687071328023840424829577", "2923924187129157542280536475256245936", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "202607050077924789943990542776456410675", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9c96d01d520498b169ce734a8ad1142bef86a30" }, { "id": "CVE-2024-31076-8d5e88ed", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1016.0, "function_hash": "167195146398766891773910542909241652312" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5f4675960609d8c5ee95f027fbf6ce380f98372" }, { "id": "CVE-2024-31076-9755114e", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebfb16fc057a016abb46a9720a54abf0d4f6abe1" }, { "id": "CVE-2024-31076-98d3ccb3", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "204713816413045550248008708695041004373", "135959072954375350481608975976499625280", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "50068065449318253708935212960478448645", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebfb16fc057a016abb46a9720a54abf0d4f6abe1" }, { "id": "CVE-2024-31076-9de7c838", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9c96d01d520498b169ce734a8ad1142bef86a30" }, { "id": "CVE-2024-31076-a7bf4eb8", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1016.0, "function_hash": "167195146398766891773910542909241652312" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9eeda3e0071a329af1eba15f4e57dc39576bb420" }, { "id": "CVE-2024-31076-a83db8b1", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59f86a2908380d09cdc726461c0fbb8d8579c99f" }, { "id": "CVE-2024-31076-a910a112", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5f4675960609d8c5ee95f027fbf6ce380f98372" }, { "id": "CVE-2024-31076-c7303845", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__vector_schedule_cleanup" }, "signature_version": "v1", "digest": { "length": 454.0, "function_hash": "333067104325803423984019512474039434183" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32" }, { "id": "CVE-2024-31076-cc794287", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__send_cleanup_vector" }, "signature_version": "v1", "digest": { "length": 365.0, "function_hash": "73225018489974448995886302266026554800" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5f4675960609d8c5ee95f027fbf6ce380f98372" }, { "id": "CVE-2024-31076-cdb4a8f2", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__send_cleanup_vector" }, "signature_version": "v1", "digest": { "length": 365.0, "function_hash": "73225018489974448995886302266026554800" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9eeda3e0071a329af1eba15f4e57dc39576bb420" }, { "id": "CVE-2024-31076-d38d7418", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "irq_force_complete_move" }, "signature_version": "v1", "digest": { "length": 482.0, "function_hash": "251042240208496534488039789510195357759" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9eeda3e0071a329af1eba15f4e57dc39576bb420" }, { "id": "CVE-2024-31076-da810b8c", "signature_type": "Function", "target": { "file": "arch/x86/kernel/apic/vector.c", "function": "__vector_schedule_cleanup" }, "signature_version": "v1", "digest": { "length": 454.0, "function_hash": "333067104325803423984019512474039434183" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebfb16fc057a016abb46a9720a54abf0d4f6abe1" }, { "id": "CVE-2024-31076-dad54f59", "signature_type": "Line", "target": { "file": "kernel/irq/cpuhotplug.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325928923103093484278198168698445722242", "57102119657152611125631979652051180439", "178173588649852840500779398162119656839", "52418568182902626011265227035612386115", "223937041913695356485778430785439173997", "174684375897425709361455752683740344776", "109426503331973604132114545708507347195" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5f4675960609d8c5ee95f027fbf6ce380f98372" }, { "id": "CVE-2024-31076-e0c7399d", "signature_type": "Function", "target": { "file": "kernel/irq/cpuhotplug.c", "function": "migrate_one_irq" }, "signature_version": "v1", "digest": { "length": 1016.0, "function_hash": "167195146398766891773910542909241652312" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9c96d01d520498b169ce734a8ad1142bef86a30" }, { "id": "CVE-2024-31076-e4153d45", "signature_type": "Line", "target": { "file": "arch/x86/kernel/apic/vector.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "204713816413045550248008708695041004373", "135959072954375350481608975976499625280", "207801508828681621689710892317887122775", "74483284774948392715856321633811741688", "50068065449318253708935212960478448645", "12991851859624162860987364720078488107", "13939890121372531281505813310580310586", "222938275669242791952093858960690721267", "210957986942175515233255051250816865667", "194146605690669358735254507228815213013", "86892366039694445383050379157222369853", "323636918765737113997977535040521762125", "73822462262127629580476784824939813740" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59f86a2908380d09cdc726461c0fbb8d8579c99f" } ] }