CVE-2021-47178

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: core: Avoid smpprocessorid() in preemptible code

The BUG message "BUG: using smpprocessorid() in preemptible [00000000] code" was observed for TCMU devices with kernel config DEBUG_PREEMPT.

The message was observed when blktests block/005 was run on TCMU devices with fileio backend or user:zbc backend [1]. The commit 1130b499b4a7 ("scsi: target: tcmloop: Use LIO wq cmd submission helper") triggered the symptom. The commit modified work queue to handle commands and changed 'current->nrcpuallowed' at smpprocessor_id() call.

The message was also observed at system shutdown when TCMU devices were not cleaned up [2]. The function smpprocessorid() was called in SCSI host work queue for abort handling, and triggered the BUG message. This symptom was observed regardless of the commit 1130b499b4a7 ("scsi: target: tcm_loop: Use LIO wq cmd submission helper").

To avoid the preemptible code check at smpprocessorid(), get CPU ID with rawsmpprocessor_id() instead. The CPU ID is used for performance improvement then thread move to other CPU will not affect the code.

[1]

[ 56.468103] run blktests block/005 at 2021-05-12 14:16:38 [ 57.369473] checkpreemptiondisabled: 85 callbacks suppressed [ 57.369480] BUG: using smpprocessorid() in preemptible [00000000] code: fio/1511 [ 57.369506] BUG: using smpprocessorid() in preemptible [00000000] code: fio/1510 [ 57.369512] BUG: using smpprocessorid() in preemptible [00000000] code: fio/1506 [ 57.369552] caller is _targetinitcmd+0x157/0x170 [targetcoremod] [ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.369617] Call Trace: [ 57.369621] BUG: using smpprocessorid() in preemptible [00000000] code: fio/1507 [ 57.369628] dumpstack+0x6d/0x89 [ 57.369642] checkpreemptiondisabled+0xc8/0xd0 [ 57.369628] caller is _targetinitcmd+0x157/0x170 [targetcoremod] [ 57.369655] _targetinitcmd+0x157/0x170 [targetcoremod] [ 57.369695] targetinitcmd+0x76/0x90 [targetcoremod] [ 57.369732] tcmloopqueuecommand+0x109/0x210 [tcmloop] [ 57.369744] scsiqueuerq+0x38e/0xc40 [ 57.369761] _blkmqtryissuedirectly+0x109/0x1c0 [ 57.369779] blkmqtryissuedirectly+0x43/0x90 [ 57.369790] blkmqsubmitbio+0x4e5/0x5d0 [ 57.369812] submitbionoacct+0x46e/0x4e0 [ 57.369830] _blkdevdirectIOsimple+0x1a3/0x2d0 [ 57.369859] ? setinitblocksize.isra.0+0x60/0x60 [ 57.369880] genericfilereaditer+0x89/0x160 [ 57.369898] blkdevreaditer+0x44/0x60 [ 57.369906] newsyncread+0x102/0x170 [ 57.369929] vfsread+0xd4/0x160 [ 57.369941] _x64syspread64+0x6e/0xa0 [ 57.369946] ? lockdephardirqson+0x79/0x100 [ 57.369958] dosyscall64+0x3a/0x70 [ 57.369965] entrySYSCALL64afterhwframe+0x44/0xae [ 57.369973] RIP: 0033:0x7f7ed4c1399f [ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b [ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIGRAX: 0000000000000011 [ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f [ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009 [ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001 [ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70 [ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568 [ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.370039] Call Trace: [ 57.370045] dumpstack+0x6d/0x89 [ 57.370056] ch ---truncated---