CVE-2024-41053
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix ufshcd_abort_one racing issue
When ufshcd_abort_one is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcd_abort_one does not need to do anything.
The racing flow is:
Thread A ufshcd_err_handler step 1 … ufshcd_abort_one ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5
Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done … __blk_mq_free_request rq->mq_hctx = NULL; step 4
Below is KE back trace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ff7699d3620763b0dfe2ff93df4528880bf903a8 < c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0 | affected |
| Linux | Linux | 93e6c0e19d5bb12b49534a411c85e21d333731fa < b5a6ac887256762758bfe7f2918cb0233aa544f4 | affected |
| Linux | Linux | 93e6c0e19d5bb12b49534a411c85e21d333731fa < 74736103fb4123c71bf11fb7a6abe7c884c5269e | affected |
| Linux | Linux | 6.6.5 < 6.6.41 | affected |
| Linux | Linux | 6.7 | affected |
| Linux | Linux | 0 < 6.7 | unaffected |
| Linux | Linux | 6.6.41 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.10 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0
- https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4
- https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0
- https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4
- https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.