CVE-2022-50177

{"id": "CVE-2022-50177", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:48.107", "references": [{"url": "https://git.kernel.org/stable/c/3002153a91a9732a6d1d0bb95138593c7da15743", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/621595f771a6bd458ffbc40679e222ba5d0a7a1e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7e7472c62c6ded322afd9d5ac8bb20a08e7c5674", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e84693621f53bf894af9905a6531e0530402145", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix ksoftirqd boosting timing and iteration\n\nThe RCU priority boosting can fail in two situations:\n\n1) If (nr_cpus= > maxcpus=), which means if the total number of CPUs\nis higher than those brought online at boot, then torture_onoff() may\nlater bring up CPUs that weren't online on boot. Now since rcutorture\ninitialization only boosts the ksoftirqds of the CPUs that have been\nset online on boot, the CPUs later set online by torture_onoff won't\nbenefit from the boost, making RCU priority boosting fail.\n\n2) The ksoftirqd kthreads are boosted after the creation of\nrcu_torture_boost() kthreads, which opens a window large enough for these\nrcu_torture_boost() kthreads to wait (despite running at FIFO priority)\nfor ksoftirqds that are still running at SCHED_NORMAL priority.\n\nThe issues can trigger for example with:\n\n\t./kvm.sh --configs TREE01 --kconfig \"CONFIG_RCU_BOOST=y\"\n\n\t[ 34.968561] rcu-torture: !!!\n\t[ 34.968627] ------------[ cut here ]------------\n\t[ 35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610\n\t[ 35.052043] Modules linked in:\n\t[ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1\n\t[ 35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014\n\t[ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610\n\t[ 35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 <0f> 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82\n\t[ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202\n\t[ 37.277320] rcu: De-offloading 8\n\t[ 37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001\n\t[ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff\n\t[ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff\n\t[ 37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20\n\t[ 37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0\n\t[ 37.290427] FS: 0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000\n\t[ 37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0\n\t[ 37.290470] Call Trace:\n\t[ 37.295049] <TASK>\n\t[ 37.295065] ? preempt_count_add+0x63/0x90\n\t[ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40\n\t[ 37.295125] ? rcu_torture_stats_print+0x610/0x610\n\t[ 37.295143] rcu_torture_stats+0x29/0x70\n\t[ 37.295160] kthread+0xe3/0x110\n\t[ 37.295176] ? kthread_complete_and_exit+0x20/0x20\n\t[ 37.295193] ret_from_fork+0x22/0x30\n\t[ 37.295218] </TASK>\n\nFix this with boosting the ksoftirqds kthreads from the boosting\nhotplug callback itself and before the boosting kthreads are created."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcutorture: Correcci\u00f3n de la sincronizaci\u00f3n e iteraci\u00f3n del boosting de ksoftirqd. El boosting de prioridad de RCU puede fallar en dos situaciones: 1) Si (nr_cpus= &gt; maxcpus=), lo que significa que el n\u00famero total de CPU es mayor que el de las que se conectaron al arranque, torture_onoff() puede reactivar posteriormente las CPU que no lo estaban. Dado que la inicializaci\u00f3n de rcutorture solo potencia los ksoftirqds de las CPU que se conectaron al arranque, las CPU que torture_onoff active posteriormente no se beneficiar\u00e1n del boosting, lo que provocar\u00e1 un fallo en el boosting de prioridad de RCU. 2) Los kthreads de ksoftirqd se impulsan tras la creaci\u00f3n de los kthreads rcu_torture_boost(), lo que abre una ventana lo suficientemente grande como para que estos kthreads rcu_torture_boost() esperen (a pesar de ejecutarse con prioridad FIFO) a los ksoftirqds que a\u00fan se ejecutan con prioridad SCHED_NORMAL. Los problemas pueden activarse, por ejemplo, con: ./kvm.sh --configs TREE01 --kconfig \"CONFIG_RCU_BOOST=y\" [ 34.968561] rcu-torture: !!! [ 34.968627] ------------[ cortar aqu\u00ed ]------------ [ 35.014054] ADVERTENCIA: CPU: 4 PID: 114 en kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610 [ 35.052043] M\u00f3dulos vinculados en: [ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta No contaminado 5.18.0-rc1 #1 [ 35.096424] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610 [ 35.198527] C\u00f3digo: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 &lt;0f&gt; 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82 [ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202 [ 37.277320] rcu: Descarga 8 [ 37.290367] RAX: 00000000000000000 RBX: 0000000000000001 RCX: 0000000000000001 [ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff [ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff [37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20 [37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0 [37.290427] FS: 000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000 [37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0 [ 37.290470] Rastreo de llamadas: [ 37.295049] [ 37.295065] ? preempt_count_add+0x63/0x90 [ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40 [ 37.295125] ? rcu_torture_stats_print+0x610/0x610 [ 37.295143] rcu_torture_stats+0x29/0x70 [ 37.295160] kthread+0xe3/0x110 [ 37.295176] ? kthread_complete_and_exit+0x20/0x20 [ 37.295193] ret_from_fork+0x22/0x30 [ 37.295218] Solucione esto potenciando los kthreads ksoftirqds desde la devoluci\u00f3n de llamada hotplug de potenciaci\u00f3n y antes de que se creen los kthreads de potenciaci\u00f3n."}], "lastModified": "2025-11-28T14:51:33.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E529C2C2-B07B-4425-919F-8EC0AB91FA47", "versionEndExcluding": "5.15.61", "versionStartIncluding": "5.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B42E453-8837-49D0-A5EF-03F818A6DC11", "versionEndExcluding": "5.18.18", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1A2A5A5-4598-4D7E-BA07-4660398D6C8F", "versionEndExcluding": "5.19.2", "versionStartIncluding": "5.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}