From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: stable@vger.kernel.org, Sasha Levin <sashal@kernel.org>,
Seiji Nishikawa <snishika@redhat.com>,
"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>
Subject: Re: [PATCH for 5.4 and 5.10] ACPI: PAD: fix crash in exit_round_robin()
Date: Thu, 10 Jul 2025 15:36:28 +0200 [thread overview]
Message-ID: <2025071024-move-barrette-1e52@gregkh> (raw)
In-Reply-To: <1750809374-29306-1-git-send-email-nobuhiro1.iwamatsu@toshiba.co.jp>
On Wed, Jun 25, 2025 at 08:56:14AM +0900, Nobuhiro Iwamatsu wrote:
> From: Seiji Nishikawa <snishika@redhat.com>
>
> commit 0a2ed70a549e61c5181bad5db418d223b68ae932 upstream.
>
> The kernel occasionally crashes in cpumask_clear_cpu(), which is called
> within exit_round_robin(), because when executing clear_bit(nr, addr) with
> nr set to 0xffffffff, the address calculation may cause misalignment within
> the memory, leading to access to an invalid memory address.
>
> ----------
> BUG: unable to handle kernel paging request at ffffffffe0740618
> ...
> CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1
> ...
> RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
> Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31
> RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202
> RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
> RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8
> R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e
> R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e
> FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> ? acpi_pad_add+0x120/0x120 [acpi_pad]
> kthread+0x10b/0x130
> ? set_kthread_struct+0x50/0x50
> ret_from_fork+0x1f/0x40
> ...
> CR2: ffffffffe0740618
>
> crash> dis -lr ffffffffc0726923
> ...
> /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114
> 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d
> /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325
> 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax
> /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80
> 0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>
>
> crash> px tsk_in_cpu[14]
> $66 = 0xffffffff
>
> crash> px 0xffffffffc072692c+0x19cf4
> $99 = 0xffffffffc0740620
>
> crash> sym 0xffffffffc0740620
> ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]
>
> crash> px pad_busy_cpus_bits[0]
> $42 = 0xfffc0
> ----------
>
> To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
> cpumask_clear_cpu() in exit_round_robin(), just as it is done in
> round_robin_cpu().
>
> Signed-off-by: Seiji Nishikawa <snishika@redhat.com>
> Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com
> [ rjw: Subject edit, avoid updates to the same value ]
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> Link: https://nvd.nist.gov/vuln/detail/CVE-2024-49935
Why did you add a nist.gov link here?
NIST is know to "enhance" cve.org reports in ways that are flat out
wrong. Never trust them, only rely on the original cve.org report
please, as that is under our control.
Also NIST totally ignores numerous parts of the cve.org report that we
provide, making this type of link contain less information overall than
the original report.
And finally, no need to add links like this to backports. If we were to
do that everywhere, it would be a total mess given our rate of 13 CVEs a
day we are currently running at.
thanks,
greg k-h
next prev parent reply other threads:[~2025-07-10 13:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-24 23:56 [PATCH for 5.4 and 5.10] ACPI: PAD: fix crash in exit_round_robin() Nobuhiro Iwamatsu
2025-06-25 14:07 ` Sasha Levin
2025-07-10 13:36 ` Greg Kroah-Hartman [this message]
2025-07-14 2:08 ` nobuhiro1.iwamatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025071024-move-barrette-1e52@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=nobuhiro1.iwamatsu@toshiba.co.jp \
--cc=rafael.j.wysocki@intel.com \
--cc=sashal@kernel.org \
--cc=snishika@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.