CVE-2024-57951

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue arises when a CPU transitions from an online state to a hotunplug state and back, without properly handling the CPU state. Specifically, hrtimers prepare cpu() does not run, causing cpu base.hres active to remain set, and the tick and clockevents are shut down during the unplug operation. Upon returning to the online state, the system incorrectly assumes the hrtick is active, and the clockevent device's chance to transition to oneshot mode is lost. Additionally, the per CPU state is not reset, resulting in dangling pointers. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations To resolve the issue, a corresponding startup() callback should be added, which resets the stale per CPU state and sets the online flag. As a temporary workaround, consider disabling the hrtimers prepare cpu() function until a patch is available. Restrict access to the vulnerable cpu base module to minimize the risk of exploitation. Avoid using the cpu base.hres active variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.