cve/published/2024/CVE-2024-49569.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49569: nvme-rdma: unquiesce admin_q before destroy it

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nvme-rdma: unquiesce admin_q before destroy it

 Kernel will hang on destroy admin_q while we create ctrl failed, such
 as following calltrace:

 PID: 23644    TASK: ff2d52b40f439fc0  CPU: 2    COMMAND: "nvme"
  #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15
  #1 [ff61d23de260fc08] schedule at ffffffff8323c014
  #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1
  #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a
  #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006
  #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce
  #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced
  #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b
  #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362
  #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25
     RIP: 00007fda7891d574  RSP: 00007ffe2ef06958  RFLAGS: 00000202
     RAX: ffffffffffffffda  RBX: 000055e8122a4d90  RCX: 00007fda7891d574
     RDX: 000000000000012b  RSI: 000055e8122a4d90  RDI: 0000000000000004
     RBP: 00007ffe2ef079c0   R8: 000000000000012b   R9: 000055e8122a4d90
     R10: 0000000000000000  R11: 0000000000000202  R12: 0000000000000004
     R13: 000055e8122923c0  R14: 000000000000012b  R15: 00007fda78a54500
     ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b

 This due to we have quiesced admi_q before cancel requests, but forgot
 to unquiesce before destroy it, as a result we fail to drain the
 pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here
 try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and
 simplify the code.

 The Linux kernel CVE team has assigned CVE-2024-49569 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.6.88 with commit 427036030f4d796533dcadba9b845896cb6c10a7
 	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.12.5 with commit 05b436f3cf65c957eff86c5ea5ddfa2604b32c63
 	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.13 with commit 5858b687559809f05393af745cbadf06dee61295
 	Issue introduced in 5.4.103 with commit a9ea34d2717a8c8892d3c5677329de9485e325ac
 	Issue introduced in 5.10.21 with commit 7da81eaf8710130a9e63d7429627183be5a93787
 	Issue introduced in 5.11.4 with commit caed0b3851a4f52afd1ef77a27b30410fe7b68c7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49569
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/nvme/host/rdma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/427036030f4d796533dcadba9b845896cb6c10a7
 	https://git.kernel.org/stable/c/05b436f3cf65c957eff86c5ea5ddfa2604b32c63
 	https://git.kernel.org/stable/c/5858b687559809f05393af745cbadf06dee61295
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49569: nvme-rdma: unquiesce admin_q before destroy it

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nvme-rdma: unquiesce admin_q before destroy it

	Kernel will hang on destroy admin_q while we create ctrl failed, such
	as following calltrace:

	PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme"
	#0 [ff61d23de260fb78] __schedule at ffffffff8323bc15
	#1 [ff61d23de260fc08] schedule at ffffffff8323c014
	#2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1
	#3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a
	#4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006
	#5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce
	#6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced
	#7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b
	#8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362
	#9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25
	RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202
	RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574
	RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004
	RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90
	R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004
	R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500
	ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b

	This due to we have quiesced admi_q before cancel requests, but forgot
	to unquiesce before destroy it, as a result we fail to drain the
	pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here
	try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and
	simplify the code.

	The Linux kernel CVE team has assigned CVE-2024-49569 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.6.88 with commit 427036030f4d796533dcadba9b845896cb6c10a7
	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.12.5 with commit 05b436f3cf65c957eff86c5ea5ddfa2604b32c63
	Issue introduced in 5.12 with commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 and fixed in 6.13 with commit 5858b687559809f05393af745cbadf06dee61295
	Issue introduced in 5.4.103 with commit a9ea34d2717a8c8892d3c5677329de9485e325ac
	Issue introduced in 5.10.21 with commit 7da81eaf8710130a9e63d7429627183be5a93787
	Issue introduced in 5.11.4 with commit caed0b3851a4f52afd1ef77a27b30410fe7b68c7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49569
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/nvme/host/rdma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/427036030f4d796533dcadba9b845896cb6c10a7
	https://git.kernel.org/stable/c/05b436f3cf65c957eff86c5ea5ddfa2604b32c63
	https://git.kernel.org/stable/c/5858b687559809f05393af745cbadf06dee61295