cve/published/2024/CVE-2024-26845.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26845: scsi: target: core: Add TMF to tmr_list handling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: target: core: Add TMF to tmr_list handling

 An abort that is responded to by iSCSI itself is added to tmr_list but does
 not go to target core. A LUN_RESET that goes through tmr_list takes a
 refcounter on the abort and waits for completion. However, the abort will
 be never complete because it was not started in target core.

  Unable to locate ITT: 0x05000000 on CID: 0
  Unable to locate RefTaskTag: 0x05000000 on CID: 0.
  wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
  wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
 ...
  INFO: task kworker/0:2:49 blocked for more than 491 seconds.
  task:kworker/0:2     state:D stack:    0 pid:   49 ppid:     2 flags:0x00000800
  Workqueue: events target_tmr_work [target_core_mod]
 Call Trace:
  __switch_to+0x2c4/0x470
  _schedule+0x314/0x1730
  schedule+0x64/0x130
  schedule_timeout+0x168/0x430
  wait_for_completion+0x140/0x270
  target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]
  core_tmr_lun_reset+0x30/0xa0 [target_core_mod]
  target_tmr_work+0xc8/0x1b0 [target_core_mod]
  process_one_work+0x2d4/0x5d0
  worker_thread+0x78/0x6c0

 To fix this, only add abort to tmr_list if it will be handled by target
 core.

 The Linux kernel CVE team has assigned CVE-2024-26845 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.308 with commit 425a571a7e6fc389954cf2564e1edbba3740e171
 	Fixed in 5.4.270 with commit 11f3fe5001ed05721e641f0ecaa7a73b7deb245d
 	Fixed in 5.10.211 with commit 168ed59170de1fd7274080fe102216162d6826cf
 	Fixed in 5.15.150 with commit a9849b67b4402a12eb35eadc9306c1ef9847d53d
 	Fixed in 6.1.80 with commit e717bd412001495f17400bfc09f606f1b594ef5a
 	Fixed in 6.6.19 with commit 36bc5040c863b44af06094b22f1e50059227b9cb
 	Fixed in 6.7.7 with commit bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f
 	Fixed in 6.8 with commit 83ab68168a3d990d5ff39ab030ad5754cbbccb25

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26845
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/target/target_core_device.c
 	drivers/target/target_core_transport.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171
 	https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d
 	https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf
 	https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d
 	https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a
 	https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb
 	https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f
 	https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26845: scsi: target: core: Add TMF to tmr_list handling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: target: core: Add TMF to tmr_list handling

	An abort that is responded to by iSCSI itself is added to tmr_list but does
	not go to target core. A LUN_RESET that goes through tmr_list takes a
	refcounter on the abort and waits for completion. However, the abort will
	be never complete because it was not started in target core.

	Unable to locate ITT: 0x05000000 on CID: 0
	Unable to locate RefTaskTag: 0x05000000 on CID: 0.
	wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
	wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop
	...
	INFO: task kworker/0:2:49 blocked for more than 491 seconds.
	task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800
	Workqueue: events target_tmr_work [target_core_mod]
	Call Trace:
	__switch_to+0x2c4/0x470
	_schedule+0x314/0x1730
	schedule+0x64/0x130
	schedule_timeout+0x168/0x430
	wait_for_completion+0x140/0x270
	target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]
	core_tmr_lun_reset+0x30/0xa0 [target_core_mod]
	target_tmr_work+0xc8/0x1b0 [target_core_mod]
	process_one_work+0x2d4/0x5d0
	worker_thread+0x78/0x6c0

	To fix this, only add abort to tmr_list if it will be handled by target
	core.

	The Linux kernel CVE team has assigned CVE-2024-26845 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.308 with commit 425a571a7e6fc389954cf2564e1edbba3740e171
	Fixed in 5.4.270 with commit 11f3fe5001ed05721e641f0ecaa7a73b7deb245d
	Fixed in 5.10.211 with commit 168ed59170de1fd7274080fe102216162d6826cf
	Fixed in 5.15.150 with commit a9849b67b4402a12eb35eadc9306c1ef9847d53d
	Fixed in 6.1.80 with commit e717bd412001495f17400bfc09f606f1b594ef5a
	Fixed in 6.6.19 with commit 36bc5040c863b44af06094b22f1e50059227b9cb
	Fixed in 6.7.7 with commit bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f
	Fixed in 6.8 with commit 83ab68168a3d990d5ff39ab030ad5754cbbccb25

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26845
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/target/target_core_device.c
	drivers/target/target_core_transport.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171
	https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d
	https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf
	https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d
	https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a
	https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb
	https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f
	https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25