In the Linux kernel, the following vulnerability has been resolved:

sched/rt: Fix race in pushrttask

Overview

When a CPU chooses to call pushrttask and picks a task to push to another CPU's runqueue then it will call findlocklowestrq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (onrq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list.

Crashes

This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself.

Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUGON(idx >= MAXRTPRIO) Call Trace: ? _diebody+0x1a/0x60 ? die+0x2a/0x50 ? dotrap+0x85/0x100 ? picknexttaskrt+0x6e/0x1d0 ? doerrortrap+0x64/0xa0 ? picknexttaskrt+0x6e/0x1d0 ? excinvalidop+0x4c/0x60 ? picknexttaskrt+0x6e/0x1d0 ? asmexcinvalidop+0x12/0x20 ? picknexttaskrt+0x6e/0x1d0 _schedule+0x5cb/0x790 ? updatetstimestats+0x55/0x70 scheduleidle+0x1e/0x40 doidle+0x15e/0x200 cpustartupentry+0x19/0x20 startsecondary+0x117/0x160 secondarystartup64noverify+0xb0/0xbb

-> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? _diebody+0x1a/0x60 ? nocontext+0x183/0x350 ? _warn+0x8a/0xe0 ? excpagefault+0x3d6/0x520 ? asmexcpagefault+0x1e/0x30 ? picknexttaskrt+0xb5/0x1d0 ? picknexttaskrt+0x8c/0x1d0 _schedule+0x583/0x7e0 ? updatetstimestats+0x55/0x70 scheduleidle+0x1e/0x40 doidle+0x15e/0x200 cpustartupentry+0x19/0x20 startsecondary+0x117/0x160 secondarystartup64noverify+0xb0/0xbb

-> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUGON(rq->cpu != taskcpu(p))

-> kernel BUG at kernel/sched/rt.c:1055! BUGON(!rq->nrrunning) Call Trace: ? _diebody+0x1a/0x60 ? die+0x2a/0x50 ? dotrap+0x85/0x100 ? dequeuetoprtrq+0xa2/0xb0 ? doerrortrap+0x64/0xa0 ? dequeuetoprtrq+0xa2/0xb0 ? excinvalidop+0x4c/0x60 ? dequeuetoprtrq+0xa2/0xb0 ? asmexcinvalidop+0x12/0x20 ? dequeuetoprtrq+0xa2/0xb0 dequeuertentity+0x1f/0x70 dequeuetaskrt+0x2d/0x70 _schedule+0x1a8/0x7e0 ? blkfinishplug+0x25/0x40 schedule+0x3c/0xb0 futexwaitqueueme+0xb6/0x120 futexwait+0xd9/0x240 dofutex+0x344/0xa90 ? getmmexefile+0x30/0x60 ? auditexecompare+0x58/0x70 ? auditfilterrules.constprop.26+0x65e/0x1220 _x64sysfutex+0x148/0x1f0 dosyscall64+0x30/0x80 entrySYSCALL64afterhwframe+0x62/0xc7

-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? _diebody+0x1a/0x60 ? nocontext+0x183/0x350 ? spuriouskernelfault+0x171/0x1c0 ? excpagefault+0x3b6/0x520 ? plistchecklist+0x15/0x40 ? plistchecklist+0x2e/0x40 ? asmexcpagefault+0x1e/0x30 ? condresched+0x15/0x30 ? futexwaitqueueme+0xc8/0x120 ? futexwait+0xd9/0x240 ? trytowakeup+0x1b8/0x490 ? futexwake+0x78/0x160 ? dofutex+0xcd/0xa90 ? plistchecklist+0x15/0x40 ? plistchecklist+0x2e/0x40 ? plistdel+0x6a/0xd0 ? plistchecklist+0x15/0x40 ? plistchecklist+0x2e/0x40 ? dequeuepushabletask+0x20/0x70 ? _schedule+0x382/0x7e0 ? asmsysvecreschedulei ---truncated---