CVE: CVE-2024-41053

Descrizione: In the Linux kernel, a vulnerability has been resolved concerning `ufscd_abort_one` racing with the completion ISR. When `ufshcd_abort_one` is racing with the completion ISR, the completed tag of the request’s `mq_hctx` pointer will be set to NULL by the ISR. The ISR returns success when the request is completed by the ISR. The racing flow is: Thread A: ufshcd_err_handler: step 1 ufshcd_abort_one: step 3 ufshcd_try_to_abort_task: step 5 ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq: step 5 Thread B: ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done … __blk_mq_free_request: step 4 Below is a trace of the kernel backtrace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194. pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20

Vettore di attacco

Riferimenti esterni

• https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0
• https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4
• https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e

Prodotti interessati

• Linux – Linux
• Linux – Linux

Relazioni con altri prodotti

Produttore:Linux
Prodotto: Linux
Anno: 2024
CWE:
CVSS: 0.0