In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix ufshcd_clear_cmd racing issue
When ufshcd_clear_cmd is racing with the completion ISR, the completed tag
of the request's mq_hctx pointer will be set to NULL by the ISR. And
ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE.
Return success when the request is completed by ISR because sq does not
need cleanup.
The racing flow is:
Thread A
ufshcd_err_handler step 1
ufshcd_try_to_abort_task
ufshcd_cmd_inflight(true) step 3
ufshcd_clear_cmd
...
ufshcd_mcq_req_to_hwq
blk_mq_unique_tag
rq->mq_hctx->queue_num step 5
Thread B
ufs_mtk_mcq_intr(cq complete ISR) step 2
scsi_done
...
__blk_mq_free_request
rq->mq_hctx = NULL; step 4
Below is KE back trace:
ufshcd_try_to_abort_task: cmd pending in the device. tag = 6
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194
pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14
lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise]
Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise]
Call trace:
dump_backtrace+0xf8/0x148
show_stack+0x18/0x24
dump_stack_lvl+0x60/0x7c
dump_stack+0x18/0x3c
mrdump_common_die+0x24c/0x398 [mrdump]
ipanic_die+0x20/0x34 [mrdump]
notify_die+0x80/0xd8
die+0x94/0x2b8
__do_kernel_fault+0x264/0x298
do_page_fault+0xa4/0x4b8
do_translation_fault+0x38/0x54
do_mem_abort+0x58/0x118
el1_abort+0x3c/0x5c
el1h_64_sync_handler+0x54/0x90
el1h_64_sync+0x68/0x6c
blk_mq_unique_tag+0x8/0x14
ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise]
ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise]
ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise]
process_one_work+0x208/0x4fc
worker_thread+0x228/0x438
kthread+0x104/0x1d4
ret_from_fork+0x10/0x20
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 09:32
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633 - Patch | |
References | () https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a - Patch | |
References | () https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72 - Patch |
22 Aug 2024, 14:11
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633 - Patch | |
References | () https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a - Patch | |
References | () https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72 - Patch | |
CWE | CWE-476 | |
First Time |
Linux
Linux linux Kernel |
|
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
29 Jul 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-29 15:15
Updated : 2024-11-21 09:32
NVD link : CVE-2024-41054
Mitre link : CVE-2024-41054
CVE.ORG link : CVE-2024-41054
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-476
NULL Pointer Dereference