Linux Kernel Cgroup V2 Cpuset Empty Mask Vulnerability Leading to Panic

A vulnerability in the Linux kernel's handling of cpus_allowed masks within cpusets can lead to a system panic. In cgroup v2, an empty cpus_allowed mask in a cpuset indicates that it will use the effective CPUs of its parent. This can cause the cpuset_can_attach() function to call task_can_attach() with an empty mask, leading to a crash. The issue arises when cpumask_any_and() returns a value indicating a CPU that is out of bounds, causing a page fault when accessed. The vulnerability has been addressed by modifying the cpuset management functions to use the effective_cpus mask instead, which correctly reflects the CPUs available to tasks within the cpuset.

Impact

Exploitation of this vulnerability causes a kernel panic due to a page fault error, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a cpuset with an empty cpus_allowed mask in a cgroup v2 environment. When the cpuset_can_attach() function is called, it will trigger the task_can_attach() function with the empty mask. This sequence causes the cpumask_any_and() function to return a value that exceeds the number of available CPUs, leading to a crash when the out-of-bounds CPU value is accessed.

Remediation

The vulnerability has been fixed in the official Linux kernel repository. Users should upgrade to the latest version where this issue has been addressed.