cve-2021-46942
Vulnerability from cvelistv5
Published
2024-02-27 18:40
Modified
2024-11-04 11:56
Severity ?
Summary
io_uring: fix shared sqpoll cancellation hangs
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68Patch
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.981Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46942",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:01:51.334180Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:54.249Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb5e0b3d0f99",
              "status": "affected",
              "version": "37d1e2e3642e",
              "versionType": "git"
            },
            {
              "lessThan": "734551df6f9b",
              "status": "affected",
              "version": "37d1e2e3642e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix shared sqpoll cancellation hangs\n\n[  736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.\n[  736.982897] Call Trace:\n[  736.982901]  schedule+0x68/0xe0\n[  736.982903]  io_uring_cancel_sqpoll+0xdb/0x110\n[  736.982908]  io_sqpoll_cancel_cb+0x24/0x30\n[  736.982911]  io_run_task_work_head+0x28/0x50\n[  736.982913]  io_sq_thread+0x4e3/0x720\n\nWe call io_uring_cancel_sqpoll() one by one for each ctx either in\nsq_thread() itself or via task works, and it\u0027s intended to cancel all\nrequests of a specified context. However the function uses per-task\ncounters to track the number of inflight requests, so it counts more\nrequests than available via currect io_uring ctx and goes to sleep for\nthem to appear (e.g. from IRQ), that will never happen.\n\nCancel a bit more than before, i.e. all ctxs that share sqpoll\nand continue to use shared counters. Don\u0027t forget that we should not\nremove ctx from the list before running that task_work sqpoll-cancel,\notherwise the function wouldn\u0027t be able to find the context and will\nhang."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T11:56:21.646Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68"
        },
        {
          "url": "https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99"
        }
      ],
      "title": "io_uring: fix shared sqpoll cancellation hangs",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46942",
    "datePublished": "2024-02-27T18:40:29.280Z",
    "dateReserved": "2024-02-25T13:45:52.721Z",
    "dateUpdated": "2024-11-04T11:56:21.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-46942\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:06.017\",\"lastModified\":\"2024-04-10T19:56:14.227\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: fix shared sqpoll cancellation hangs\\n\\n[  736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.\\n[  736.982897] Call Trace:\\n[  736.982901]  schedule+0x68/0xe0\\n[  736.982903]  io_uring_cancel_sqpoll+0xdb/0x110\\n[  736.982908]  io_sqpoll_cancel_cb+0x24/0x30\\n[  736.982911]  io_run_task_work_head+0x28/0x50\\n[  736.982913]  io_sq_thread+0x4e3/0x720\\n\\nWe call io_uring_cancel_sqpoll() one by one for each ctx either in\\nsq_thread() itself or via task works, and it\u0027s intended to cancel all\\nrequests of a specified context. However the function uses per-task\\ncounters to track the number of inflight requests, so it counts more\\nrequests than available via currect io_uring ctx and goes to sleep for\\nthem to appear (e.g. from IRQ), that will never happen.\\n\\nCancel a bit more than before, i.e. all ctxs that share sqpoll\\nand continue to use shared counters. Don\u0027t forget that we should not\\nremove ctx from the list before running that task_work sqpoll-cancel,\\notherwise the function wouldn\u0027t be able to find the context and will\\nhang.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corrige bloqueos de cancelaci\u00f3n de sqpoll compartido [736.982891] INFORMACI\u00d3N: tarea iou-sqp-4294:4295 bloqueada durante m\u00e1s de 122 segundos. [ 736.982897] Seguimiento de llamadas: [ 736.982901] agenda+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 Llamamos a io_uring_cancel_sqpoll( ) uno por uno para cada ctx, ya sea en sq_thread() o mediante tareas, y est\u00e1 destinado a cancelar todas las solicitudes de un contexto espec\u00edfico. Sin embargo, la funci\u00f3n utiliza contadores por tarea para rastrear la cantidad de solicitudes en curso, por lo que cuenta m\u00e1s solicitudes de las disponibles a trav\u00e9s de currect io_uring ctx y se pone en suspensi\u00f3n para que aparezcan (por ejemplo, desde IRQ), eso nunca suceder\u00e1. Cancele un poco m\u00e1s que antes, es decir, todos los ctx que comparten sqpoll y contin\u00faan usando contadores compartidos. No olvide que no debemos eliminar ctx de la lista antes de ejecutar task_work sqpoll-cancel; de lo contrario, la funci\u00f3n no podr\u00e1 encontrar el contexto y se bloquear\u00e1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12.0\",\"versionEndExcluding\":\"5.12.3\",\"matchCriteriaId\":\"C3814FA3-8141-4313-A852-8C4212BE12AD\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.