cve/published/2024/CVE-2024-56589.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-56589: scsi: hisi_sas: Add cond_resched() for no forced preemption model

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

scsi: hisi_sas: Add cond_resched() for no forced preemption model

For no forced preemption model kernel, in the scenario where the
expander is connected to 12 high performance SAS SSDs, the following
call trace may occur:

[  214.409199][  C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211]
[  214.568533][  C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[  214.575224][  C240] pc : fput_many+0x8c/0xdc
[  214.579480][  C240] lr : fput+0x1c/0xf0
[  214.583302][  C240] sp : ffff80002de2b900
[  214.587298][  C240] x29: ffff80002de2b900 x28: ffff1082aa412000
[  214.593291][  C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000
[  214.599284][  C240] x25: ffff1062bbac5c40 x24: 0000000000001000
[  214.605277][  C240] x23: 000000000000000a x22: 0000000000000001
[  214.611270][  C240] x21: 0000000000001000 x20: 0000000000000000
[  214.617262][  C240] x19: ffff3062a41ae580 x18: 0000000000010000
[  214.623255][  C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0
[  214.629248][  C240] x15: ffffffffffffffff x14: 0000000003ffffff
[  214.635241][  C240] x13: 000000000000ffff x12: 000000000000029c
[  214.641234][  C240] x11: 0000000000000006 x10: ffff80003a9f7fd0
[  214.647226][  C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001
[  214.653219][  C240] x7 : 0000000000000002 x6 : 0000000000000080
[  214.659212][  C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554
[  214.665205][  C240] x3 : 0000000000000002 x2 : 0000000000000020
[  214.671198][  C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8
[  214.677191][  C240] Call trace:
[  214.680320][  C240]  fput_many+0x8c/0xdc
[  214.684230][  C240]  fput+0x1c/0xf0
[  214.687707][  C240]  aio_complete_rw+0xd8/0x1fc
[  214.692225][  C240]  blkdev_bio_end_io+0x98/0x140
[  214.696917][  C240]  bio_endio+0x160/0x1bc
[  214.701001][  C240]  blk_update_request+0x1c8/0x3bc
[  214.705867][  C240]  scsi_end_request+0x3c/0x1f0
[  214.710471][  C240]  scsi_io_completion+0x7c/0x1a0
[  214.715249][  C240]  scsi_finish_command+0x104/0x140
[  214.720200][  C240]  scsi_softirq_done+0x90/0x180
[  214.724892][  C240]  blk_mq_complete_request+0x5c/0x70
[  214.730016][  C240]  scsi_mq_done+0x48/0xac
[  214.734194][  C240]  sas_scsi_task_done+0xbc/0x16c [libsas]
[  214.739758][  C240]  slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw]
[  214.746185][  C240]  cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw]
[  214.752179][  C240]  irq_thread_fn+0x34/0xa4
[  214.756435][  C240]  irq_thread+0xc4/0x130
[  214.760520][  C240]  kthread+0x108/0x13c
[  214.764430][  C240]  ret_from_fork+0x10/0x18

This is because in the hisi_sas driver, both the hardware interrupt
handler and the interrupt thread are executed on the same CPU. In the
performance test scenario, function irq_wait_for_interrupt() will always
return 0 if lots of interrupts occurs and the CPU will be continuously
consumed. As a result, the CPU cannot run the watchdog thread. When the
watchdog time exceeds the specified time, call trace occurs.

To fix it, add cond_resched() to execute the watchdog thread.

The Linux kernel CVE team has assigned CVE-2024-56589 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 5.10.231 with commit 3dd2c5cb2c698a02a4ed2ea0acb7c9909374a8bf
	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 5.15.174 with commit 2174bbc235f79fce88ea71fd08cf836568fcad5f
	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 6.1.120 with commit 2991a023896b79e6753813ed88fbc98979713c73
	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 6.6.66 with commit 50ddf4b0e1a4cb5e9ca0aac3d0a73202b903c87f
	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 6.12.5 with commit 601f8001373fc3fbad498f9be427254908b7fcce
	Issue introduced in 4.5 with commit 47caad1577cd7a39e2048c5e4edbce4b863dc12b and fixed in 6.13 with commit 2233c4a0b948211743659b24c13d6bd059fa75fc

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56589
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/scsi/hisi_sas/hisi_sas_v3_hw.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/3dd2c5cb2c698a02a4ed2ea0acb7c9909374a8bf
	https://git.kernel.org/stable/c/2174bbc235f79fce88ea71fd08cf836568fcad5f
	https://git.kernel.org/stable/c/2991a023896b79e6753813ed88fbc98979713c73
	https://git.kernel.org/stable/c/50ddf4b0e1a4cb5e9ca0aac3d0a73202b903c87f
	https://git.kernel.org/stable/c/601f8001373fc3fbad498f9be427254908b7fcce
	https://git.kernel.org/stable/c/2233c4a0b948211743659b24c13d6bd059fa75fc