admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-07 05:28:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-531xx/CVE-2024-53102.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

37 lines
6.2 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-53102",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-11-25T22:15:17.553",
"lastModified": "2024-11-25T22:15:17.553",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: make keep-alive synchronous operation\n\nThe nvme keep-alive operation, which executes at a periodic interval,\ncould potentially sneak in while shutting down a fabric controller.\nThis may lead to a race between the fabric controller admin queue\ndestroy code path (invoked while shutting down controller) and hw/hctx\nqueue dispatcher called from the nvme keep-alive async request queuing\noperation. This race could lead to the kernel crash shown below:\n\nCall Trace:\n autoremove_wake_function+0x0/0xbc (unreliable)\n __blk_mq_sched_dispatch_requests+0x114/0x24c\n blk_mq_sched_dispatch_requests+0x44/0x84\n blk_mq_run_hw_queue+0x140/0x220\n nvme_keep_alive_work+0xc8/0x19c [nvme_core]\n process_one_work+0x200/0x4e0\n worker_thread+0x340/0x504\n kthread+0x138/0x140\n start_kernel_thread+0x14/0x18\n\nWhile shutting down fabric controller, if nvme keep-alive request sneaks\nin then it would be flushed off. The nvme_keep_alive_end_io function is\nthen invoked to handle the end of the keep-alive operation which\ndecrements the admin->q_usage_counter and assuming this is the last/only\nrequest in the admin queue then the admin->q_usage_counter becomes zero.\nIf that happens then blk-mq destroy queue operation (blk_mq_destroy_\nqueue()) which could be potentially running simultaneously on another\ncpu (as this is the controller shutdown code path) would forward\nprogress and deletes the admin queue. So, now from this point onward\nwe are not supposed to access the admin queue resources. However the\nissue here's that the nvme keep-alive thread running hw/hctx queue\ndispatch operation hasn't yet finished its work and so it could still\npotentially access the admin queue resource while the admin queue had\nbeen already deleted and that causes the above crash.\n\nThis fix helps avoid the observed crash by implementing keep-alive as a\nsynchronous operation so that we decrement admin->q_usage_counter only\nafter keep-alive command finished its execution and returns the command\nstatus back up to its caller (blk_execute_rq()). This would ensure that\nfabric shutdown code path doesn't destroy the fabric admin queue until\nkeep-alive request finished execution and also keep-alive thread is not\nrunning hw/hctx queue dispatch operation."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvme: operaci\u00f3n sincr\u00f3nica de mantenimiento de conexi\u00f3n La operaci\u00f3n de mantenimiento de conexi\u00f3n de nvme, que se ejecuta a intervalos peri\u00f3dicos, podr\u00eda colarse mientras se apaga un controlador de red. Esto puede generar una ejecuci\u00f3n entre la ruta del c\u00f3digo de destrucci\u00f3n de la cola de administraci\u00f3n del controlador de red (invocada mientras se apaga el controlador) y el despachador de cola hw/hctx llamado desde la operaci\u00f3n de puesta en cola de solicitudes asincr\u00f3nicas de mantenimiento de conexi\u00f3n de nvme. Esta ejecuci\u00f3n podr\u00eda provocar el bloqueo del kernel que se muestra a continuaci\u00f3n: Rastreo de llamada: autoremove_wake_function+0x0/0xbc (no confiable) __blk_mq_sched_dispatch_requests+0x114/0x24c blk_mq_sched_dispatch_requests+0x44/0x84 blk_mq_run_hw_queue+0x140/0x220 nvme_keep_alive_work+0xc8/0x19c [nvme_core] process_one_work+0x200/0x4e0 worker_thread+0x340/0x504 kthread+0x138/0x140 start_kernel_thread+0x14/0x18 Al apagar el controlador de estructura, si la solicitud de mantenimiento de conexi\u00f3n de nvme se cuela, se eliminar\u00e1. Luego se invoca la funci\u00f3n nvme_keep_alive_end_io para manejar el final de la operaci\u00f3n keep-alive que disminuye el admin->q_usage_counter y, asumiendo que esta es la \u00faltima/\u00fanica solicitud en la cola de administraci\u00f3n, entonces el admin->q_usage_counter se convierte en cero. Si eso sucede, entonces la operaci\u00f3n de destrucci\u00f3n de cola blk-mq (blk_mq_destroy_queue()) que podr\u00eda estar ejecut\u00e1ndose simult\u00e1neamente en otra CPU (ya que esta es la ruta del c\u00f3digo de apagado del controlador) reenviar\u00eda el progreso y eliminar\u00eda la cola de administraci\u00f3n. Entonces, ahora a partir de este punto en adelante no se supone que accedamos a los recursos de la cola de administraci\u00f3n. Sin embargo, el problema aqu\u00ed es que el hilo de keep-alive de nvme que ejecuta la operaci\u00f3n de despacho de cola hw/hctx a\u00fan no ha terminado su trabajo y, por lo tanto, a\u00fan podr\u00eda acceder potencialmente al recurso de la cola de administraci\u00f3n mientras que la cola de administraci\u00f3n ya se hab\u00eda eliminado y eso causa el bloqueo anterior. Esta correcci\u00f3n ayuda a evitar el bloqueo observado al implementar keep-alive como una operaci\u00f3n sincr\u00f3nica de modo que disminuyamos admin->q_usage_counter solo despu\u00e9s de que el comando keep-alive finalice su ejecuci\u00f3n y devuelva el estado del comando a su llamador (blk_execute_rq()). Esto garantizar\u00eda que la ruta del c\u00f3digo de apagado de la estructura no destruya la cola de administraci\u00f3n de la estructura hasta que la solicitud keep-alive finalice la ejecuci\u00f3n y tambi\u00e9n que el subproceso keep-alive no est\u00e9 ejecutando la operaci\u00f3n de despacho de cola hw/hctx."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a1bcca5c9efd2c72c8d2fcbadf2d673cceb2ea7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/afa229465399f89d3af9d72ced865144c9748846",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ccc1d82dfaad0ad27d21139da22e57add73d2a5e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d06923670b5a5f609603d4a9fee4dec02d38de9c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}
Reference in New Issue View Git Blame Copy Permalink