[Devel] [PATCH RHEL10 COMMIT] x86/cpuid_fault: Fix possible UAF in cpuid_override_info
Konstantin Khorenko
khorenko at virtuozzo.com
Mon May 18 16:46:06 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-55.52.1.5.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.52.1.5.26.vz10
------>
commit 8ef004ad31ddfde243ad36c576c44c694ee3c47a
Author: Vladimir Riabchun <vladimir.riabchun at virtuozzo.com>
Date: Thu May 7 21:01:55 2026 +0200
x86/cpuid_fault: Fix possible UAF in cpuid_override_info
If there are two writers, the following race is possible:
Writer 1: | Writer 2:
cpuid_override_update(T1) |
spin_lock(&cpuid_override_lock) |
cpuid_override = T1 |
spin_unlock(&cpuid_override_lock) |
<Context switched> |
| cpuid_override_update(T2)
| spin_lock(&cpuid_override_lock)
| old_table = T1
| cpuid_override = T2
| spin_unlock(&cpuid_override_lock)
|
| kfree_rcu(T1, rcu_head);
| ^^^^^ No rcu_read_lock, free now
cpuid_override_info(T1) <<< UAF |
Fix it by dumping override table under cpuid_override_lock.
Fixes: a8dfdcae85ac ("x86/cpuid_fault: Log table updates")
Signed-off-by: Vladimir Riabchun <vladimir.riabchun at virtuozzo.com>
Feature: x86: cpu pools (cpuid override)
---
arch/x86/kernel/cpuid_fault.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpuid_fault.c b/arch/x86/kernel/cpuid_fault.c
index 117c971f531a4..ed5349b955f82 100644
--- a/arch/x86/kernel/cpuid_fault.c
+++ b/arch/x86/kernel/cpuid_fault.c
@@ -59,9 +59,8 @@ static void cpuid_override_update(struct cpuid_override_table *new_table)
spin_lock(&cpuid_override_lock);
old_table = rcu_access_pointer(cpuid_override);
rcu_assign_pointer(cpuid_override, new_table);
- spin_unlock(&cpuid_override_lock);
-
cpuid_override_info(new_table);
+ spin_unlock(&cpuid_override_lock);
if (old_table)
kfree_rcu(old_table, rcu_head);
More information about the Devel
mailing list