CVE-2024-26671
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime blk_mq_mark_tag_wait() can't get driver tag successfully. This issue can be reproduced by running the following test in loop, and fio hang can be observed in < 30min when running it on my test VM in laptop. modprobe -r scsi_debug modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ --runtime=100 --numjobs=40 --time_based --name=test \ --ioengine=libaio Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which is just fine in case of running out of tag.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Techniques & Countermeasures
- CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Affected Systems
- debian•debian_linux
10.0
- linux•linux
≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 9525b38180e2753f0daa1a522b7767a2aa969676 | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10 | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 7610ba1319253225a9ba8a9d28d472fc883b4e2f | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 89e0e66682e1538aeeaa3109503473663cd24c8b | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 1d9c777d3e70bdc57dddf7a14a80059d65919e56 | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 6d8b01624a2540336a32be91f25187a433af53a0 | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < f1bc0d8163f8ee84a8d5affdf624cfad657df1d2 | ≥ da55f2cc78418dee88400aafbbaed19d7ac8188e, < 5266caaf5660529e3da53004b8b7174cab6374ed | 4.11
- linux•linux_kernel
< 4.19.307 | ≥ 4.20, < 5.4.269 | ≥ 5.5, < 5.10.210 | ≥ 5.11, < 5.15.149 | ≥ 5.16, < 6.1.77 | ≥ 6.2, < 6.7.4
References (10)
- https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676
- https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10
- https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f
- https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b
- https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56
- https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0
- https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2
- https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html