Bug 2323910 (CVE-2024-50135) - CVE-2024-50135 kernel: nvme-pci: fix race condition between reset and nvme_dev_disable()
Summary: CVE-2024-50135 kernel: nvme-pci: fix race condition between reset and nvme_de...
Keywords:
Status: NEW
Alias: CVE-2024-50135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2324050
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-05 18:01 UTC by OSIDB Bzimport
Modified: 2024-11-05 22:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-11-05 18:01:39 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: fix race condition between reset and nvme_dev_disable()

nvme_dev_disable() modifies the dev->online_queues field, therefore
nvme_pci_update_nr_queues() should avoid racing against it, otherwise
we could end up passing invalid values to blk_mq_update_nr_hw_queues().

 WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347
          pci_irq_get_affinity+0x187/0x210
 Workqueue: nvme-reset-wq nvme_reset_work [nvme]
 RIP: 0010:pci_irq_get_affinity+0x187/0x210
 Call Trace:
  <TASK>
  ? blk_mq_pci_map_queues+0x87/0x3c0
  ? pci_irq_get_affinity+0x187/0x210
  blk_mq_pci_map_queues+0x87/0x3c0
  nvme_pci_map_queues+0x189/0x460 [nvme]
  blk_mq_update_nr_hw_queues+0x2a/0x40
  nvme_reset_work+0x1be/0x2a0 [nvme]

Fix the bug by locking the shutdown_lock mutex before using
dev->online_queues. Give up if nvme_dev_disable() is running or if
it has been executed already.
Comment 1 Robb Gatica 2024-11-05 21:32:18 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024110559-CVE-2024-50135-d177@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.