CVE-2024-41054

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41054
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41054.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-41054
Downstream
Related
Published
2024-07-29T14:32:09Z
Modified
2025-10-22T00:22:44.793451Z
Summary
scsi: ufs: core: Fix ufshcd_clear_cmd racing issue
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix ufshcdclearcmd racing issue

When ufshcdclearcmd is racing with the completion ISR, the completed tag of the request's mqhctx pointer will be set to NULL by the ISR. And ufshcdclearcmd's call to ufshcdmcqreqto_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup.

The racing flow is:

Thread A ufshcderrhandler step 1 ufshcdtrytoaborttask ufshcdcmdinflight(true) step 3 ufshcdclearcmd ... ufshcdmcqreqtohwq blkmquniquetag rq->mqhctx->queue_num step 5

Thread B ufsmtkmcqintr(cq complete ISR) step 2 scsidone ... _blkmqfreerequest rq->mq_hctx = NULL; step 4

Below is KE back trace:

ufshcdtrytoaborttask: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blkmquniquetag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcdmcqsqcleanup+0x6c/0x1cc [ufsmediatekmodise] Workqueue: ufsehwq0 ufshcderrhandler [ufsmediatekmodise] Call trace: dumpbacktrace+0xf8/0x148 showstack+0x18/0x24 dumpstacklvl+0x60/0x7c dumpstack+0x18/0x3c mrdumpcommondie+0x24c/0x398 [mrdump] ipanicdie+0x20/0x34 [mrdump] notifydie+0x80/0xd8 die+0x94/0x2b8 _dokernelfault+0x264/0x298 dopagefault+0xa4/0x4b8 dotranslationfault+0x38/0x54 domemabort+0x58/0x118 el1abort+0x3c/0x5c el1h64synchandler+0x54/0x90 el1h64sync+0x68/0x6c blkmquniquetag+0x8/0x14 ufshcdclearcmd+0x34/0x118 [ufsmediatekmodise] ufshcdtrytoaborttask+0x2c8/0x5b4 [ufsmediatekmodise] ufshcderrhandler+0xa7c/0xfa8 [ufsmediatekmodise] processonework+0x208/0x4fc workerthread+0x228/0x438 kthread+0x104/0x1d4 retfromfork+0x10/0x20

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d7290348992f27242dd6a696fa2eede709f0b14
Fixed
bed0896008334eeee4b4bfd7150491ca098cbf72
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d7290348992f27242dd6a696fa2eede709f0b14
Fixed
11d81233f4ebe6907b12c79ad7d8787aa4db0633
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d7290348992f27242dd6a696fa2eede709f0b14
Fixed
9307a998cb9846a2557fdca286997430bee36a2a

Affected versions

v6.*

v6.10-rc1
v6.4
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.41
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.10