FKIE_CVE-2024-26846

Vulnerability from fkie_nvd - Published: 2024-04-17 10:15 - Updated: 2025-03-21 15:02
Severity
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has been added by the initial commit. There is some logic around trying to prevent from hanging forever in wait_for_completion, though it does not handling all cases. E.g. blktests is able to reproduce the situation where the module unload hangs forever. If we completely rely on the cleanup code executed from the nvme_delete_ctrl path, all IDs will be freed eventually. This makes calling ida_destroy unnecessary. We only have to ensure that all nvme_delete_ctrl code has been executed before we leave nvme_fc_exit_module. This is done by flushing the nvme_delete_wq workqueue. While at it, remove the unused nvme_fc_wq workqueue too.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75cPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67Patch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlMailing List, Third Party Advisory
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.8
linux linux_kernel 6.8
debian debian_linux 10.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC6905D6-5F33-4718-AAFD-C356351E82B0",
              "versionEndExcluding": "5.10.211",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB6C60DE-9E0C-46C5-904D-D4F4031F8E95",
              "versionEndExcluding": "5.15.150",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA7850CE-97C9-4408-A348-6173296BCA2B",
              "versionEndExcluding": "6.1.80",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D82004C-B2AE-4048-9344-32EFF65953B0",
              "versionEndExcluding": "6.6.19",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "575EE16B-67F2-4B5B-B5F8-1877715C898B",
              "versionEndExcluding": "6.7.7",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing \u0027left over IDs\u0027. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvme-fc: no espere en vano al descargar el m\u00f3dulo. La ruta de salida del m\u00f3dulo tiene una carrera entre eliminar todos los controladores y liberar los \u0027ID sobrantes\u0027. Para evitar la doble liberaci\u00f3n, la confirmaci\u00f3n inicial agreg\u00f3 una sincronizaci\u00f3n entre nvme_delete_ctrl e ida_destroy. Existe cierta l\u00f3gica al tratar de evitar que se cuelgue para siempre en wait_for_completion, aunque no maneja todos los casos. Por ejemplo, blktests puede reproducir la situaci\u00f3n en la que la descarga del m\u00f3dulo se bloquea para siempre. Si confiamos completamente en el c\u00f3digo de limpieza ejecutado desde la ruta nvme_delete_ctrl, eventualmente se liberar\u00e1n todas las ID. Esto hace que llamar a ida_destroy sea innecesario. Solo tenemos que asegurarnos de que todo el c\u00f3digo nvme_delete_ctrl se haya ejecutado antes de salir de nvme_fc_exit_module. Esto se hace vaciando la cola de trabajo nvme_delete_wq. Mientras lo hace, elimine tambi\u00e9n la cola de trabajo nvme_fc_wq no utilizada."
    }
  ],
  "id": "CVE-2024-26846",
  "lastModified": "2025-03-21T15:02:58.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-17T10:15:10.187",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-415"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.