cve-2021-47552
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-08-04 05:39
Severity
Summary
blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T18:51:40.130772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:51:50.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e03513f58919d9e2bc6df765ca2c9da863d03d90"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2a19b28f7929866e1cec92a3619f4de9f2d20005"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-core.c",
"block/blk-mq.c",
"block/blk-mq.h",
"block/blk-sysfs.c",
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e03513f58919",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "2a19b28f7929",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-core.c",
"block/blk-mq.c",
"block/blk-mq.h",
"block/blk-sysfs.c",
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()\n\nFor avoiding to slow down queue destroy, we don\u0027t call\nblk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying to\ncancel dispatch work in blk_release_queue().\n\nHowever, this way has caused kernel oops[1], reported by Changhui. The log\nshows that scsi_device can be freed before running blk_release_queue(),\nwhich is expected too since scsi_device is released after the scsi disk\nis closed and the scsi_device is removed.\n\nFixes the issue by canceling blk-mq dispatch work in both blk_cleanup_queue()\nand disk_release():\n\n1) when disk_release() is run, the disk has been closed, and any sync\ndispatch activities have been done, so canceling dispatch work is enough to\nquiesce filesystem I/O dispatch activity.\n\n2) in blk_cleanup_queue(), we only focus on passthrough request, and\npassthrough request is always explicitly allocated \u0026 freed by\nits caller, so once queue is frozen, all sync dispatch activity\nfor passthrough request has been done, then it is enough to just cancel\ndispatch work for avoiding any dispatch activity.\n\n[1] kernel panic log\n[12622.769416] BUG: kernel NULL pointer dereference, address: 0000000000000300\n[12622.777186] #PF: supervisor read access in kernel mode\n[12622.782918] #PF: error_code(0x0000) - not-present page\n[12622.788649] PGD 0 P4D 0\n[12622.791474] Oops: 0000 [#1] PREEMPT SMP PTI\n[12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: loaded Not tainted 5.15.0+ #1\n[12622.804877] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015\n[12622.813321] Workqueue: kblockd blk_mq_run_work_fn\n[12622.818572] RIP: 0010:sbitmap_get+0x75/0x190\n[12622.823336] Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 \u003c48\u003e 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 fa f3 ff ff 83 f8 ff 75 58\n[12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202\n[12622.850120] RAX: 0000000000000001 RBX: 0000000000000300 RCX: 0000000000000004\n[12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030\n[12622.866042] RBP: 0000000000000004 R08: 0000000000000001 R09: ffffa0b742721334\n[12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000\n[12622.881964] R13: 0000000000000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030\n[12622.889926] FS: 0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:0000000000000000\n[12622.898956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0\n[12622.913328] Call Trace:\n[12622.916055] \u003cTASK\u003e\n[12622.918394] scsi_mq_get_budget+0x1a/0x110\n[12622.922969] __blk_mq_do_dispatch_sched+0x1d4/0x320\n[12622.928404] ? pick_next_task_fair+0x39/0x390\n[12622.933268] __blk_mq_sched_dispatch_requests+0xf4/0x140\n[12622.939194] blk_mq_sched_dispatch_requests+0x30/0x60\n[12622.944829] __blk_mq_run_hw_queue+0x30/0xa0\n[12622.949593] process_one_work+0x1e8/0x3c0\n[12622.954059] worker_thread+0x50/0x3b0\n[12622.958144] ? rescuer_thread+0x370/0x370\n[12622.962616] kthread+0x158/0x180\n[12622.966218] ? set_kthread_struct+0x40/0x40\n[12622.970884] ret_from_fork+0x22/0x30\n[12622.974875] \u003c/TASK\u003e\n[12622.977309] Modules linked in: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea sysfillrect sysimgblt fb_sys_fops pcspkr cec mei_me lpc_ich mei ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter drm fuse xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg ixgbe ahci libahci crct10dif_pclmul crc32_pclmul crc32c_intel libata megaraid_sas ghash_clmulni_intel tg3 wdat_w\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T05:09:57.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e03513f58919d9e2bc6df765ca2c9da863d03d90"
},
{
"url": "https://git.kernel.org/stable/c/2a19b28f7929866e1cec92a3619f4de9f2d20005"
}
],
"title": "blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()",
"x_generator": {
"engine": "bippy-a5840b7849dd"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47552",
"datePublished": "2024-05-24T15:09:55.295Z",
"dateReserved": "2024-05-24T15:02:54.832Z",
"dateUpdated": "2024-08-04T05:39:59.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-47552\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:20.000\",\"lastModified\":\"2024-05-24T18:09:20.027\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()\\n\\nFor avoiding to slow down queue destroy, we don\u0027t call\\nblk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying to\\ncancel dispatch work in blk_release_queue().\\n\\nHowever, this way has caused kernel oops[1], reported by Changhui. The log\\nshows that scsi_device can be freed before running blk_release_queue(),\\nwhich is expected too since scsi_device is released after the scsi disk\\nis closed and the scsi_device is removed.\\n\\nFixes the issue by canceling blk-mq dispatch work in both blk_cleanup_queue()\\nand disk_release():\\n\\n1) when disk_release() is run, the disk has been closed, and any sync\\ndispatch activities have been done, so canceling dispatch work is enough to\\nquiesce filesystem I/O dispatch activity.\\n\\n2) in blk_cleanup_queue(), we only focus on passthrough request, and\\npassthrough request is always explicitly allocated \u0026 freed by\\nits caller, so once queue is frozen, all sync dispatch activity\\nfor passthrough request has been done, then it is enough to just cancel\\ndispatch work for avoiding any dispatch activity.\\n\\n[1] kernel panic log\\n[12622.769416] BUG: kernel NULL pointer dereference, address: 0000000000000300\\n[12622.777186] #PF: supervisor read access in kernel mode\\n[12622.782918] #PF: error_code(0x0000) - not-present page\\n[12622.788649] PGD 0 P4D 0\\n[12622.791474] Oops: 0000 [#1] PREEMPT SMP PTI\\n[12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: loaded Not tainted 5.15.0+ #1\\n[12622.804877] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015\\n[12622.813321] Workqueue: kblockd blk_mq_run_work_fn\\n[12622.818572] RIP: 0010:sbitmap_get+0x75/0x190\\n[12622.823336] Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 \u003c48\u003e 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 fa f3 ff ff 83 f8 ff 75 58\\n[12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202\\n[12622.850120] RAX: 0000000000000001 RBX: 0000000000000300 RCX: 0000000000000004\\n[12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030\\n[12622.866042] RBP: 0000000000000004 R08: 0000000000000001 R09: ffffa0b742721334\\n[12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000\\n[12622.881964] R13: 0000000000000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030\\n[12622.889926] FS: 0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:0000000000000000\\n[12622.898956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0\\n[12622.913328] Call Trace:\\n[12622.916055] \u003cTASK\u003e\\n[12622.918394] scsi_mq_get_budget+0x1a/0x110\\n[12622.922969] __blk_mq_do_dispatch_sched+0x1d4/0x320\\n[12622.928404] ? pick_next_task_fair+0x39/0x390\\n[12622.933268] __blk_mq_sched_dispatch_requests+0xf4/0x140\\n[12622.939194] blk_mq_sched_dispatch_requests+0x30/0x60\\n[12622.944829] __blk_mq_run_hw_queue+0x30/0xa0\\n[12622.949593] process_one_work+0x1e8/0x3c0\\n[12622.954059] worker_thread+0x50/0x3b0\\n[12622.958144] ? rescuer_thread+0x370/0x370\\n[12622.962616] kthread+0x158/0x180\\n[12622.966218] ? set_kthread_struct+0x40/0x40\\n[12622.970884] ret_from_fork+0x22/0x30\\n[12622.974875] \u003c/TASK\u003e\\n[12622.977309] Modules linked in: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea sysfillrect sysimgblt fb_sys_fops pcspkr cec mei_me lpc_ich mei ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter drm fuse xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg ixgbe ahci libahci crct10dif_pclmul crc32_pclmul crc32c_intel libata megaraid_sas ghash_clmulni_intel tg3 wdat_w\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-mq: cancela el trabajo de env\u00edo de blk-mq tanto en blk_cleanup_queue como en disk_release() Para evitar ralentizar la destrucci\u00f3n de la cola, no llamamos a blk_mq_quiesce_queue() en blk_cleanup_queue(). en lugar de retrasar la cancelaci\u00f3n del trabajo de env\u00edo en blk_release_queue(). Sin embargo, esta forma ha provocado errores en el kernel[1], seg\u00fan inform\u00f3 Changhui. El registro muestra que scsi_device se puede liberar antes de ejecutar blk_release_queue(), lo cual tambi\u00e9n se espera ya que scsi_device se libera despu\u00e9s de que se cierra el disco scsi y se elimina scsi_device. Soluciona el problema cancelando el trabajo de env\u00edo de blk-mq tanto en blk_cleanup_queue() como en disk_release(): 1) cuando se ejecuta disk_release(), el disco se ha cerrado y se han realizado todas las actividades de env\u00edo de sincronizaci\u00f3n, por lo que cancelar el trabajo de env\u00edo es suficiente para inmovilizar la actividad de env\u00edo de E/S del sistema de archivos. 2) en blk_cleanup_queue(), solo nos centramos en la solicitud de paso a trav\u00e9s, y la persona que llama siempre asigna y libera expl\u00edcitamente la solicitud de paso a trav\u00e9s, por lo que una vez que la cola se congela, se ha realizado toda la actividad de env\u00edo de sincronizaci\u00f3n para la solicitud de paso a trav\u00e9s, entonces es suficiente con simplemente cancelar el trabajo de despacho para evitar cualquier actividad de despacho. [1] registro de p\u00e1nico del kernel [12622.769416] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000300 [12622.777186] #PF: acceso de lectura del supervisor en modo kernel [12622.782918] #PF: c\u00f3digo de error (0x0000) - p\u00e1gina no presente [12622.788649] re 0 P4D 0 [12622.791474] Ups: 0000 [#1] PREEMPT SMP PTI [12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: cargado No contaminado 5.15.0+ #1 [12622.804877] Nombre de hardware: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015 [12622.813321] Cola de trabajo: kblockd blk_mq_run_work_fn [12622.818572] RIP: 0010:sbitmap_get+0x75/0x190 [12622.823336] C\u00f3digo: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 \u0026lt;48\u0026gt; 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e 8 fa f3 ff ff 83 f8 ff 75 58 [12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202 [12622.850120] RAX: 00000000000000001 RBX: 0000000000000300 0000000000000004 [12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030 [12622.866042] RBP: 0000000000000004 8: 0000000000000001 R09: ffffa0b742721334 [12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 00000000000000000 [12622.881964] R13: 0000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030 [12622.889926] FS: 0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:000000000000000 00 [12622.898956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0 [12622.913 328] Seguimiento de llamadas: [12622.916055] [12622.918394] scsi_mq_get_budget+0x1a/0x110 [12622.922969] __blk_mq_do_dispatch_sched+0x1d4/0x320 [12622.928404] ? pick_next_task_fair+0x39/0x390 [12622.933268] __blk_mq_sched_dispatch_requests+0xf4/0x140 [12622.939194] blk_mq_sched_dispatch_requests+0x30/0x60 [12622.944829] q_run_hw_queue+0x30/0xa0 [12622.949593] proceso_one_work+0x1e8/0x3c0 [12622.954059] trabajador_thread+0x50/0x3b0 [12622.958144] ? hilo_rescate+0x370/0x370 [12622.962616] kthread+0x158/0x180 [12622.966218] ? set_kthread_struct+0x40/0x40 [12622.970884] ret_from_fork+0x22/0x30 [12622.974875] [12622.977309] M\u00f3dulos vinculados en: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 solucionador nfs lockd gracia fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2a19b28f7929866e1cec92a3619f4de9f2d20005\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e03513f58919d9e2bc6df765ca2c9da863d03d90\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...