CVE-2024-41053
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-41053
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41053.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-41053
- Related
- Published
- 2024-07-29T15:15:13Z
- Modified
- 2024-09-18T03:26:32.553961Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix ufshcdabortone racing issue
When ufshcdabortone is racing with the completion ISR, the completed tag of the request's mqhctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcdabort_one does not need to do anything.
The racing flow is:
Thread A ufshcderrhandler step 1 ... ufshcdabortone ufshcdtrytoaborttask ufshcdcmdinflight(true) step 3 ufshcdmcqreqtohwq blkmquniquetag rq->mqhctx->queue_num step 5
Thread B ufsmtkmcqintr(cq complete ISR) step 2 scsidone ... _blkmqfreerequest rq->mq_hctx = NULL; step 4
Below is KE back trace. ufshcdtrytoaborttask: cmd at tag 41 not pending in the device. ufshcdtrytoaborttask: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blkmquniquetag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcdmcqreqtohwq+0x1c/0x40 [ufsmediatekmodise] domemabort+0x58/0x118 el1abort+0x3c/0x5c el1h64synchandler+0x54/0x90 el1h64sync+0x68/0x6c blkmquniquetag+0x8/0x14 ufshcderrhandler+0xae4/0xfa8 [ufsmediatekmodise] processonework+0x208/0x4fc workerthread+0x228/0x438 kthread+0x104/0x1d4 retfrom_fork+0x10/0x20
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.9.10-1