ghsa-xj77-m3jq-h2r8
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

qed: allow sleep in qed_mcp_trace_dump()

By default, qed_mcp_cmd_and_union() delays 10us at a time in a loop that can run 500K times, so calls to qed_mcp_nvm_rd_cmd() may block the current thread for over 5s. We observed thread scheduling delays over 700ms in production, with stacktraces pointing to this code as the culprit.

qed_mcp_trace_dump() is called from ethtool, so sleeping is permitted. It already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd(). Add a "can sleep" parameter to qed_find_nvram_image() and qed_nvram_read() so they can sleep during qed_mcp_trace_dump(). qed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(), called only by qed_mcp_trace_dump(), allow these functions to sleep. I can't tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep, so keep b_can_sleep set to false when it calls these functions.

An example stacktrace from a custom warning we added to the kernel showing a thread that has not scheduled despite long needing resched: [ 2745.362925,17] ------------[ cut here ]------------ [ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0() [ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99 [ 2745.362956,17] Modules linked in: ... [ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x [ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020 [ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20 [ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000 [ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000 [ 2745.363379,17] Call Trace: [ 2745.363382,17] [] dump_stack+0x8e/0xcf [ 2745.363393,17] [] warn_slowpath_common+0x82/0xc0 [ 2745.363398,17] [] warn_slowpath_fmt+0x4c/0x50 [ 2745.363404,17] [] ? rcu_irq_exit+0xae/0xc0 [ 2745.363408,17] [] do_IRQ+0x15e/0x1a0 [ 2745.363413,17] [] common_interrupt+0x89/0x89 [ 2745.363416,17] [] ? delay_tsc+0x24/0x50 [ 2745.363425,17] [] __udelay+0x34/0x40 [ 2745.363457,17] [] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed] [ 2745.363473,17] [] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed] [ 2745.363490,17] [] qed_mcp_trace_dump+0x4a7/0x630 [qed] [ 2745.363504,17] [] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed] [ 2745.363520,17] [] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed] [ 2745.363536,17] [] qed_dbg_feature_size+0x61/0xa0 [qed] [ 2745.363551,17] [] qed_dbg_all_data_size+0x247/0x260 [qed] [ 2745.363560,17] [] qede_get_regs_len+0x30/0x40 [qede] [ 2745.363566,17] [] ethtool_get_drvinfo+0xe3/0x190 [ 2745.363570,17] [] dev_ethtool+0x1362/0x2140 [ 2745.363575,17] [] ? finish_task_switch+0x76/0x260 [ 2745.363580,17] [] ? __schedule+0x3c6/0x9d0 [ 2745.363585,17] [] ? hrtimer_start_range_ns+0x1d0/0x370 [ 2745.363589,17] [] ? dev_get_by_name_rcu+0x6b/0x90 [ 2745.363594,17] [] dev_ioctl+0xe8/0x710 [ 2745.363599,17] [] sock_do_ioctl+0x48/0x60 [ 2745.363603,17] [] sock_ioctl+0x1c7/0x280 [ 2745.363608,17] [] ? seccomp_phase1+0x83/0x220 [ 2745.363612,17] [] do_vfs_ioctl+0x2b3/0x4e0 [ 2745.363616,17] [] SyS_ioctl+0x41/0x70 [ 2745.363619,17] [] entry_SYSCALL_64_fastpath+0x1e/0x79 [ 2745.363622,17] ---[ end trace f6954aa440266421 ]---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53509"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:54Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: allow sleep in qed_mcp_trace_dump()\n\nBy default, qed_mcp_cmd_and_union() delays 10us at a time in a loop\nthat can run 500K times, so calls to qed_mcp_nvm_rd_cmd()\nmay block the current thread for over 5s.\nWe observed thread scheduling delays over 700ms in production,\nwith stacktraces pointing to this code as the culprit.\n\nqed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.\nIt already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().\nAdd a \"can sleep\" parameter to qed_find_nvram_image() and\nqed_nvram_read() so they can sleep during qed_mcp_trace_dump().\nqed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),\ncalled only by qed_mcp_trace_dump(), allow these functions to sleep.\nI can\u0027t tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,\nso keep b_can_sleep set to false when it calls these functions.\n\nAn example stacktrace from a custom warning we added to the kernel\nshowing a thread that has not scheduled despite long needing resched:\n[ 2745.362925,17] ------------[ cut here ]------------\n[ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()\n[ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99\n[ 2745.362956,17] Modules linked in: ...\n[ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P           O    4.4.182+ #202104120910+6d1da174272d.61x\n[ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020\n[ 2745.363346,17]  0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20\n[ 2745.363358,17]  ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000\n[ 2745.363369,17]  0000000000000063 0000000000000174 0000000000000074 0000000000000000\n[ 2745.363379,17] Call Trace:\n[ 2745.363382,17]  \u003cIRQ\u003e  [\u003cffffffff8131eb2f\u003e] dump_stack+0x8e/0xcf\n[ 2745.363393,17]  [\u003cffffffff81072ac2\u003e] warn_slowpath_common+0x82/0xc0\n[ 2745.363398,17]  [\u003cffffffff81072b4c\u003e] warn_slowpath_fmt+0x4c/0x50\n[ 2745.363404,17]  [\u003cffffffff810d5a8e\u003e] ? rcu_irq_exit+0xae/0xc0\n[ 2745.363408,17]  [\u003cffffffff817c99fe\u003e] do_IRQ+0x15e/0x1a0\n[ 2745.363413,17]  [\u003cffffffff817c7ac9\u003e] common_interrupt+0x89/0x89\n[ 2745.363416,17]  \u003cEOI\u003e  [\u003cffffffff8132aa74\u003e] ? delay_tsc+0x24/0x50\n[ 2745.363425,17]  [\u003cffffffff8132aa04\u003e] __udelay+0x34/0x40\n[ 2745.363457,17]  [\u003cffffffffa04d45ff\u003e] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]\n[ 2745.363473,17]  [\u003cffffffffa04d5ced\u003e] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]\n[ 2745.363490,17]  [\u003cffffffffa04e1dc7\u003e] qed_mcp_trace_dump+0x4a7/0x630 [qed]\n[ 2745.363504,17]  [\u003cffffffffa04e2556\u003e] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]\n[ 2745.363520,17]  [\u003cffffffffa04e4ea7\u003e] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]\n[ 2745.363536,17]  [\u003cffffffffa04ea881\u003e] qed_dbg_feature_size+0x61/0xa0 [qed]\n[ 2745.363551,17]  [\u003cffffffffa04eb427\u003e] qed_dbg_all_data_size+0x247/0x260 [qed]\n[ 2745.363560,17]  [\u003cffffffffa0482c10\u003e] qede_get_regs_len+0x30/0x40 [qede]\n[ 2745.363566,17]  [\u003cffffffff816c9783\u003e] ethtool_get_drvinfo+0xe3/0x190\n[ 2745.363570,17]  [\u003cffffffff816cc152\u003e] dev_ethtool+0x1362/0x2140\n[ 2745.363575,17]  [\u003cffffffff8109bcc6\u003e] ? finish_task_switch+0x76/0x260\n[ 2745.363580,17]  [\u003cffffffff817c2116\u003e] ? __schedule+0x3c6/0x9d0\n[ 2745.363585,17]  [\u003cffffffff810dbd50\u003e] ? hrtimer_start_range_ns+0x1d0/0x370\n[ 2745.363589,17]  [\u003cffffffff816c1e5b\u003e] ? dev_get_by_name_rcu+0x6b/0x90\n[ 2745.363594,17]  [\u003cffffffff816de6a8\u003e] dev_ioctl+0xe8/0x710\n[ 2745.363599,17]  [\u003cffffffff816a58a8\u003e] sock_do_ioctl+0x48/0x60\n[ 2745.363603,17]  [\u003cffffffff816a5d87\u003e] sock_ioctl+0x1c7/0x280\n[ 2745.363608,17]  [\u003cffffffff8111f393\u003e] ? seccomp_phase1+0x83/0x220\n[ 2745.363612,17]  [\u003cffffffff811e3503\u003e] do_vfs_ioctl+0x2b3/0x4e0\n[ 2745.363616,17]  [\u003cffffffff811e3771\u003e] SyS_ioctl+0x41/0x70\n[ 2745.363619,17]  [\u003cffffffff817c6ffe\u003e] entry_SYSCALL_64_fastpath+0x1e/0x79\n[ 2745.363622,17] ---[ end trace f6954aa440266421 ]---",
  "id": "GHSA-xj77-m3jq-h2r8",
  "modified": "2025-10-01T12:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53509"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50c81b35df01db12b348c5cbf4b1917dc9a7db54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5401c3e0992860b11fb4b25796e4c4f1921740df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0387f4f39a8d92302273ac356d1f6b2a38160d8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.