ghsa-qjvp-25fj-gf6v
Vulnerability from github
Published
2024-04-02 09:30
Modified
2024-06-27 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix IO hang from sbitmap wakeup race

In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure.

Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime blk_mq_mark_tag_wait() can't get driver tag successfully.

This issue can be reproduced by running the following test in loop, and fio hang can be observed in < 30min when running it on my test VM in laptop.

modprobe -r scsi_debug
modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
        --runtime=100 --numjobs=40 --time_based --name=test \
        --ioengine=libaio

Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which is just fine in case of running out of tag.

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-26671",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-04-02T07:15:43Z",
      severity: null,
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.",
   id: "GHSA-qjvp-25fj-gf6v",
   modified: "2024-06-27T15:30:38Z",
   published: "2024-04-02T09:30:41Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-26671",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2",
      },
      {
         type: "WEB",
         url: "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html",
      },
      {
         type: "WEB",
         url: "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.