CVE-2024-36888
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-36888
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36888.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-36888
- Downstream
- Related
- Published
- 2024-05-30T15:28:56.214Z
- Modified
- 2025-11-20T04:09:22.665821Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- workqueue: Fix selection of wake_cpu in kick_pool()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
workqueue: Fix selection of wakecpu in kickpool()
With cpupossiblemask=0-63 and cpuonlinemask=0-7 the following kernel oops was observed:
smp: Bringing up secondary CPUs ... smp: Brought up 1 node, 8 CPUs Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000000000000 TEID: 0000000000000803 [..] Call Trace: archvcpuispreempted+0x12/0x80 selectidlesibling+0x42/0x560 selecttaskrqfair+0x29a/0x3b0 trytowakeup+0x38e/0x6e0 kickpool+0xa4/0x198 _queuework.part.0+0x2bc/0x3a8 calltimerfn+0x36/0x160 _runtimers+0x1e2/0x328 _runtimerbase+0x5a/0x88 runtimersoftirq+0x40/0x78 _dosoftirq+0x118/0x388 irqexitrcu+0xc0/0xd8 doextirq+0xae/0x168 extinthandler+0xbe/0xf0 pswidleexit+0x0/0xc defaultidlecall+0x3c/0x110 doidle+0xd4/0x158 cpustartupentry+0x40/0x48 restinit+0xc6/0xc8 startkernel+0x3c4/0x5e0 startup_continue+0x3c/0x50
The crash is caused by calling archvcpuispreempted() for an offline CPU. To avoid this, select the cpu with cpumaskanyanddistribute() to mask _podcpumask with cpuonlinemask. In case no cpu is left in the pool, skip the assignment.
tj: This doesn't fully fix the bug as CPUs can still go down between picking the target CPU and the wake call. Fixing that likely requires adding cpu_online() test to either the sched or s390 arch code. However, regardless of how that is fixed, workqueue shouldn't be picking a CPU which isn't online as that would result in unpredictable and worse behavior.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8639ecebc9b1796d7074751a350462f5e1c61cd4Fixedc57824d4fe07c2131f8c48687cbd5ee2be60c767
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8639ecebc9b1796d7074751a350462f5e1c61cd4Fixed6d559e70b3eb6623935cbe7f94c1912c1099777b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8639ecebc9b1796d7074751a350462f5e1c61cd4Fixed57a01eafdcf78f6da34fad9ff075ed5dfdd9f420
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "kernel/workqueue.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d559e70b3eb6623935cbe7f94c1912c1099777b",
"digest": {
"line_hashes": [
"151240583182194744152740603036553875075",
"1636997189627108829756386150715501840",
"139073521287008936866895322360747892443",
"257543543781581094805358959317098672190",
"204687717181390834952018929909070763241"
],
"threshold": 0.9
},
"id": "CVE-2024-36888-27f0cc37"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "kernel/workqueue.c",
"function": "kick_pool"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d559e70b3eb6623935cbe7f94c1912c1099777b",
"digest": {
"length": 588.0,
"function_hash": "201575573980252207371660702354967905910"
},
"id": "CVE-2024-36888-9033d4cf"
}
]