| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-41053: scsi: ufs: core: Fix ufshcd_abort_one racing issue |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| scsi: ufs: core: Fix ufshcd_abort_one racing issue |
| |
| When ufshcd_abort_one is racing with the completion ISR, the completed tag |
| of the request's mq_hctx pointer will be set to NULL by ISR. Return |
| success when request is completed by ISR because ufshcd_abort_one does not |
| need to do anything. |
| |
| The racing flow is: |
| |
| Thread A |
| ufshcd_err_handler step 1 |
| ... |
| ufshcd_abort_one |
| ufshcd_try_to_abort_task |
| ufshcd_cmd_inflight(true) step 3 |
| ufshcd_mcq_req_to_hwq |
| blk_mq_unique_tag |
| rq->mq_hctx->queue_num step 5 |
| |
| Thread B |
| ufs_mtk_mcq_intr(cq complete ISR) step 2 |
| scsi_done |
| ... |
| __blk_mq_free_request |
| rq->mq_hctx = NULL; step 4 |
| |
| Below is KE back trace. |
| ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. |
| ufshcd_try_to_abort_task: cmd at tag=41 is cleared. |
| Aborting tag 41 / CDB 0x28 succeeded |
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 |
| pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 |
| lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] |
| do_mem_abort+0x58/0x118 |
| el1_abort+0x3c/0x5c |
| el1h_64_sync_handler+0x54/0x90 |
| el1h_64_sync+0x68/0x6c |
| blk_mq_unique_tag+0x8/0x14 |
| ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] |
| process_one_work+0x208/0x4fc |
| worker_thread+0x228/0x438 |
| kthread+0x104/0x1d4 |
| ret_from_fork+0x10/0x20 |
| |
| The Linux kernel CVE team has assigned CVE-2024-41053 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.6.5 with commit ff7699d3620763b0dfe2ff93df4528880bf903a8 and fixed in 6.6.41 with commit c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0 |
| Issue introduced in 6.7 with commit 93e6c0e19d5bb12b49534a411c85e21d333731fa and fixed in 6.9.10 with commit b5a6ac887256762758bfe7f2918cb0233aa544f4 |
| Issue introduced in 6.7 with commit 93e6c0e19d5bb12b49534a411c85e21d333731fa and fixed in 6.10 with commit 74736103fb4123c71bf11fb7a6abe7c884c5269e |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-41053 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/ufs/core/ufshcd.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0 |
| https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4 |
| https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e |
