FKIE_CVE-2024-27435

Vulnerability from fkie_nvd - Published: 2024-05-17 13:15 - Updated: 2026-06-17 07:19
Severity
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3aPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1dPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3aPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 5.12
linux linux_kernel 5.12
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/core.c",
            "drivers/nvme/host/fabrics.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8",
              "status": "affected",
              "version": "ed01fee283a067c72b2d6500046080dbc1bb9dae",
              "versionType": "git"
            },
            {
              "lessThan": "ff2f90f88d78559802466ad1c84ac5bda4416b3a",
              "status": "affected",
              "version": "ed01fee283a067c72b2d6500046080dbc1bb9dae",
              "versionType": "git"
            },
            {
              "lessThan": "6851778504cdb49431809b4ba061903d5f592c96",
              "status": "affected",
              "version": "ed01fee283a067c72b2d6500046080dbc1bb9dae",
              "versionType": "git"
            },
            {
              "lessThan": "262da920896e2f2ab0e3947d9dbee0aa09045818",
              "status": "affected",
              "version": "ed01fee283a067c72b2d6500046080dbc1bb9dae",
              "versionType": "git"
            },
            {
              "lessThan": "de105068fead55ed5c07ade75e9c8e7f86a00d1d",
              "status": "affected",
              "version": "ed01fee283a067c72b2d6500046080dbc1bb9dae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/core.c",
            "drivers/nvme/host/fabrics.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E304C5-2D31-4589-AB6D-9C94E19AFE59",
              "versionEndExcluding": "6.1.83",
              "versionStartIncluding": "5.12.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E00814DC-0BA7-431A-9926-80FEB4A96C68",
              "versionEndExcluding": "6.6.23",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD",
              "versionEndExcluding": "6.7.11",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1",
              "versionEndExcluding": "6.8.2",
              "versionStartIncluding": "6.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*",
              "matchCriteriaId": "75EB504D-4A83-4C67-9C8D-FD9C6C8EB4CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "D7788E5B-D54E-45BF-9043-2C7B77842FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "A935F9F1-DA8B-49F4-BF2B-FA01A92F113E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "DF0AF673-12B7-4274-9090-411D4939CB62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "06AE06A6-A0C3-4556-BFFA-3D6E4BAC43C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "FCE63934-38CF-4311-AD72-624E86AF3889",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nvme: se corrigi\u00f3 el error de reconexi\u00f3n debido a la asignaci\u00f3n de etiquetas reservadas. Encontramos un problema en el entorno de producci\u00f3n al usar NVMe sobre RDMA, la reconexi\u00f3n de admin_q fall\u00f3 para siempre mientras el objetivo remoto y la red est\u00e1n bien. Despu\u00e9s de investigarlo, descubrimos que puede deberse a un punto muerto de ABBA debido a la asignaci\u00f3n de etiquetas. En mi caso, la etiqueta estaba retenida por una solicitud de mantenimiento en espera dentro de admin_q, ya que desactivamos admin_q mientras reiniciamos Ctrl, por lo que la solicitud se realiz\u00f3 como inactiva y no se procesar\u00e1 antes de que el reinicio se realice correctamente. Como fabric_q comparte el conjunto de etiquetas con admin_q, mientras reconectamos el objetivo remoto, necesitamos una etiqueta para el comando de conexi\u00f3n, pero la \u00fanica etiqueta reservada estaba mantenida por el comando Keep Alive que esperaba dentro de admin_q. Como resultado, no pudimos volver a conectar admin_q para siempre. Para solucionar este problema, creo que deber\u00edamos mantener dos etiquetas reservadas para la cola de administraci\u00f3n."
    }
  ],
  "id": "CVE-2024-27435",
  "lastModified": "2026-06-17T07:19:53.453",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2024-27435",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-05-31T18:39:12.435774Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-05-17T13:15:58.073",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.