CVE-2022-49003

Walking the nvmenshead siblings list is protected by the head's srcu in nvmensheadsubmitbio() but not nvmempathrevalidate_paths(). Removing namespaces from the list also fails to synchronize the srcu. Concurrent scan work can therefore cause use-after-frees.

Hold the head's srcu lock in nvmempathrevalidatepaths() and synchronize with the srcu, not the global RCU, in nvmens_remove().

Observed the following panic when making NVMe/RDMA connections with native multipath on the Rocky Linux 8.6 kernel (it seems the upstream kernel has the same race condition). Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx; computing capacity != get_capacity(ns->disk). Address 0x50 is dereferenced because ns->disk is NULL. The NULL disk appears to be the result of concurrent scan work freeing the namespace (note the log line in the middle of the panic).

[37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [37314.206036] nvme0n3: detected capacity change from 0 to 11811160064 [37314.299753] PGD 0 P4D 0 [37314.299756] Oops: 0000 [#1] SMP PTI [37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x8664 #1 [37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018 [37314.299763] Workqueue: nvme-wq nvmescanwork [nvmecore] [37314.299783] RIP: 0010:nvmempathrevalidatepaths+0x26/0xb0 [nvmecore] [37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3 [37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202 [37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000 [37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800 [37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff [37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000 [37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000 [37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000 [37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0 [37315.799267] Call Trace: [37315.828515] nvmeupdatensinfo+0x1ac/0x250 [nvmecore] [37315.892075] nvmevalidateorallocns+0x2ff/0xa00 [nvmecore] [37315.961871] ? _blkmqfreerequest+0x6b/0x90 [37316.015021] nvmescanwork+0x151/0x240 [nvmecore] [37316.073371] processonework+0x1a7/0x360 [37316.121318] ? createworker+0x1a0/0x1a0 [37316.168227] workerthread+0x30/0x390 [37316.212024] ? createworker+0x1a0/0x1a0 [37316.258939] kthread+0x10a/0x120 [37316.297557] ? setkthreadstruct+0x50/0x50 [37316.347590] retfromfork+0x35/0x40 [37316.390360] Modules linked in: nvmerdma nvmetcp(X) nvmefabrics nvmecore netconsole iscsitcp libiscsitcp dmqueuelength dmservicetime nfconntracknetlink brnetfilter bridge stp llc overlay nftchainnat iptMASQUERADE nfnat xtaddrtype xtCT nftcounter xtstate xtconntrack nfconntrack nfdefragipv6 nfdefragipv4 xtcomment xtmultiport nftcompat nftables libcrc32c nfnetlink dmmultipath tg3 rpcrdma sunrpc rdmaucm ibsrpt ibisert iscsitargetmod targetcoremod ibiser libiscsi scsitransportiscsi ibumad rdmacm ibipoib iwcm ibcm intelraplmsr iTCOwdt iTCOvendorsupport dcdbas intelraplcommon sbedac x86pkgtempthermal intelpowerclamp coretemp kvmintel ipmissif kvm irqbypass crct10difpclmul crc32pclmul mlx5ib ghashclmulniintel ibuverbs rapl intelcstate inteluncore ibcore ipmisi joydev meime pcspkr ipmidevintf mei lpcich wmi ipmimsghandler acpipowermeter ex ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e7d65803e2bb5bc739548b67a5fc72c626cf7e3b

Fixed

787d81d4eb150e443e5d1276c6e8f03cfecc2302

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e7d65803e2bb5bc739548b67a5fc72c626cf7e3b

Fixed

5b566d09ab1b975566a53f9c5466ee260d087582

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e7d65803e2bb5bc739548b67a5fc72c626cf7e3b

Fixed

899d2a05dc14733cfba6224083c6b0dd5a738590

Affected versions

v5.*

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.53

v5.15.54

v5.15.55

v5.15.56

v5.15.57

v5.15.58

v5.15.59

v5.15.6

v5.15.60

v5.15.61

v5.15.62

v5.15.63

v5.15.64

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.7

v5.15.70

v5.15.71

v5.15.72

v5.15.73

v5.15.74

v5.15.75

v5.15.76

v5.15.77

v5.15.78

v5.15.79

v5.15.8

v5.15.80

v5.15.81

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.10

v6.0.11

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@899d2a05dc14733cfba6224083c6b0dd5a738590",
        "target": {
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "line_hashes": [
                "251363999658314378919406745157021095627",
                "142595626163599362712250258192967840815",
                "173658428457820215066186675745162450152",
                "337470937221848852232917901528988872564"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-04866106"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@787d81d4eb150e443e5d1276c6e8f03cfecc2302",
        "target": {
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "line_hashes": [
                "251363999658314378919406745157021095627",
                "152929277789085317697028181027413889293",
                "243121822064178515110612150503182324461",
                "125120466776952845548672183249374480573"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-09f65c90"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@899d2a05dc14733cfba6224083c6b0dd5a738590",
        "target": {
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "line_hashes": [
                "204366457635873537101978282716190156073",
                "116616256280128272660380277662595600222",
                "30314691695429581206494076151258635828",
                "121309396358756759994928662565442067199",
                "258668591138616692339271043972968656974",
                "140359136803257688144740723226926140422",
                "115202856450913903568889062375090152490",
                "235113712796648439819795426204121121048"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-636a0381"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@899d2a05dc14733cfba6224083c6b0dd5a738590",
        "target": {
            "function": "nvme_mpath_revalidate_paths",
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "function_hash": "308163419240340954435471933331976180845",
            "length": 385.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-88051d5f"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b566d09ab1b975566a53f9c5466ee260d087582",
        "target": {
            "function": "nvme_ns_remove",
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "function_hash": "281657234110106688543217375735883651021",
            "length": 916.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-90872679"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@787d81d4eb150e443e5d1276c6e8f03cfecc2302",
        "target": {
            "function": "nvme_mpath_revalidate_paths",
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "function_hash": "308163419240340954435471933331976180845",
            "length": 385.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-9129a9bc"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b566d09ab1b975566a53f9c5466ee260d087582",
        "target": {
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "line_hashes": [
                "204366457635873537101978282716190156073",
                "116616256280128272660380277662595600222",
                "30314691695429581206494076151258635828",
                "121309396358756759994928662565442067199",
                "258668591138616692339271043972968656974",
                "140359136803257688144740723226926140422",
                "115202856450913903568889062375090152490",
                "235113712796648439819795426204121121048"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-924adf51"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@787d81d4eb150e443e5d1276c6e8f03cfecc2302",
        "target": {
            "function": "nvme_ns_remove",
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "function_hash": "50190204965100741242564086851742526899",
            "length": 907.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-b3218e34"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@787d81d4eb150e443e5d1276c6e8f03cfecc2302",
        "target": {
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "line_hashes": [
                "204366457635873537101978282716190156073",
                "116616256280128272660380277662595600222",
                "30314691695429581206494076151258635828",
                "121309396358756759994928662565442067199",
                "258668591138616692339271043972968656974",
                "140359136803257688144740723226926140422",
                "115202856450913903568889062375090152490",
                "235113712796648439819795426204121121048"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-d5a600f8"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@899d2a05dc14733cfba6224083c6b0dd5a738590",
        "target": {
            "function": "nvme_ns_remove",
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "function_hash": "281657234110106688543217375735883651021",
            "length": 916.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-db23229a"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b566d09ab1b975566a53f9c5466ee260d087582",
        "target": {
            "function": "nvme_mpath_revalidate_paths",
            "file": "drivers/nvme/host/multipath.c"
        },
        "digest": {
            "function_hash": "308163419240340954435471933331976180845",
            "length": 385.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49003-e81604fd"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b566d09ab1b975566a53f9c5466ee260d087582",
        "target": {
            "file": "drivers/nvme/host/core.c"
        },
        "digest": {
            "line_hashes": [
                "251363999658314378919406745157021095627",
                "142595626163599362712250258192967840815",
                "173658428457820215066186675745162450152",
                "337470937221848852232917901528988872564"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49003-f6b4ce92"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

5.15.82

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.12