CVE-2026-45919

In the Linux kernel, the following vulnerability has been resolved:

sched/rt: Skip currently executing CPU in rto next cpu()

CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE RT PUSH IPI enabled, they send IPIs to CPU0 to drive the execution of rto push irq work func. During push rt task on CPU0, if next task->prio < rq->donor->prio, resched curr() sets NEED RESCHED and after the push operation completes, CPU0 calls rto next cpu(). Since only CPU0 is overloaded in this scenario, rto next cpu() should ideally return -1 (no further IPI needed).

However, multiple CPUs invoking tell cpu to push() during LB increments rd->rto loop next. Even when rd->rto cpu is set to -1, the mismatch between rd->rto loop and rd->rto loop next forces rto next cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt nr migratory && rt nr total > 1), it gets reselected, causing CPU0 to queue irq work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull rt tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts.

The trigging scenario is as follows:

 cpu0           cpu1          cpu2
            pull rt task
           tell cpu to push
     <------------irq work queue on

rto push irq work func push rt task resched curr(rq) pull rt task rto next cpu tell cpu to push <-------------------------- atomic inc(rto loop next) rd->rto loop != next rto next cpu irq work queue on rto push irq work func

Fix redundant self-IPI by filtering the initiating CPU in rto next cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios.