CVE-2024-26935

Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${procname} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsiprochostdirrm() on scsiremovehost(). But that led to a potential duplicate call to the hostdirrm() routine, since it's also called from scsihostdevrelease(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdirrm() call from devrelease().

But it happens that this proc directory is created on scsihostalloc(), and that function "pairs" with scsihostdevrelease(), while scsiremovehost() pairs with scsiaddhost(). In other words, it seems the reason for removing the proc directory on devrelease() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsiaddhost() didn't happen. And that pattern happens to exist in some error paths, for example.

Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usbstorprobe2(). By checking that path, we can see that the BadDevice label leads to a scsihostput() after a SCSI host allocation, but there's no call to scsiaddhost() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure):

usb-storage 4-1:87.51: USB Mass Storage device detected procdirentry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376

The proper fix seems to still call scsiprochostdirrm() on devrelease(), but guard that with the state check for SHOSTCREATED; there is even a comment in scsihostdevrelease() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case.

This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

88c3d3bb6469cea929ac68fd326bdcbefcdfdd83

Fixed

0053f15d50d50c9312d8ab9c11e2e405812dfcac

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

68c665bb185037e7eb66fb792c61da9d7151e99c

Fixed

5c2386ba80e779a92ec3bb64ccadbedd88f779b1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2a764d55e938743efa7c2cba7305633bcf227f09

Fixed

cea234bb214b17d004dfdccce4491e6ff57c96ee

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7e0ae8667fcdd99d1756922e1140cac75f5fa279

Fixed

3678cf67ff7136db1dd3bf63c361650db5d92889

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Fixed

d4c34782b6d7b1e68d18d9549451b19433bd4c6c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Fixed

e293c773c13b830cdc251f155df2254981abc320

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Fixed

f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Fixed

f23a4d6e07570826fe95023ca1aa96a011fa9f84

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51

Affected versions

v5.*

v5.10.1

v5.10.10

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.176

v5.10.177

v5.10.178

v5.10.179

v5.10.18

v5.10.180

v5.10.181

v5.10.182

v5.10.183

v5.10.184

v5.10.185

v5.10.186

v5.10.187

v5.10.188

v5.10.189

v5.10.19

v5.10.190

v5.10.191

v5.10.192

v5.10.193

v5.10.194

v5.10.195

v5.10.196

v5.10.197

v5.10.198

v5.10.199

v5.10.2

v5.10.200

v5.10.201

v5.10.202

v5.10.203

v5.10.204

v5.10.205

v5.10.206

v5.10.207

v5.10.208

v5.10.209

v5.10.210

v5.10.211

v5.10.212

v5.10.213

v5.10.214

v5.10.3

v5.10.4

v5.10.5

v5.10.6

v5.10.7

v5.10.8

v5.10.9

v5.11.1

v5.11.10

v5.11.11

v5.11.12

v5.11.13

v5.11.14

v5.11.15

v5.11.16

v5.11.17

v5.11.18

v5.11.19

v5.11.2

v5.11.20

v5.11.21

v5.11.3

v5.11.4

v5.11.5

v5.11.6

v5.11.7

v5.11.8

v5.11.9

v5.12.1

v5.12.10

v5.12.11

v5.12.12

v5.12.13

v5.12.14

v5.12.15

v5.12.16

v5.12.17

v5.12.18

v5.12.19

v5.12.2

v5.12.3

v5.12.4

v5.12.5

v5.12.6

v5.12.7

v5.12.8

v5.12.9

v5.13.1

v5.13.10

v5.13.11

v5.13.12

v5.13.13

v5.13.14

v5.13.15

v5.13.16

v5.13.17

v5.13.18

v5.13.2

v5.13.3

v5.13.4

v5.13.5

v5.13.6

v5.13.7

v5.13.8

v5.13.9

v5.14.1

v5.14.10

v5.14.11

v5.14.12

v5.14.13

v5.14.14

v5.14.15

v5.14.16

v5.14.17

v5.14.18

v5.14.19

v5.14.2

v5.14.20

v5.14.3

v5.14.4

v5.14.5

v5.14.6

v5.14.7

v5.14.8

v5.14.9

v5.15.1

v5.15.10

v5.15.104

v5.15.105

v5.15.106

v5.15.107

v5.15.108

v5.15.109

v5.15.11

v5.15.110

v5.15.111

v5.15.112

v5.15.113

v5.15.114

v5.15.115

v5.15.116

v5.15.117

v5.15.118

v5.15.119

v5.15.12

v5.15.120

v5.15.121

v5.15.122

v5.15.123

v5.15.124

v5.15.125

v5.15.126

v5.15.127

v5.15.128

v5.15.129

v5.15.13

v5.15.130

v5.15.131

v5.15.132

v5.15.133

v5.15.134

v5.15.135

v5.15.136

v5.15.137

v5.15.138

v5.15.139

v5.15.14

v5.15.140

v5.15.141

v5.15.142

v5.15.143

v5.15.144

v5.15.145

v5.15.146

v5.15.147

v5.15.148

v5.15.149

v5.15.15

v5.15.150

v5.15.151

v5.15.152

v5.15.153

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.13

v5.16.14

v5.16.15

v5.16.16

v5.16.17

v5.16.18

v5.16.19

v5.16.2

v5.16.20

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17.1

v5.17.10

v5.17.11

v5.17.12

v5.17.13

v5.17.14

v5.17.2

v5.17.3

v5.17.4

v5.17.5

v5.17.6

v5.17.7

v5.17.8

v5.17.9

v5.18.1

v5.18.10

v5.18.11

v5.18.12

v5.18.13

v5.18.14

v5.18.15

v5.18.16

v5.18.17

v5.18.18

v5.18.19

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.18.6

v5.18.7

v5.18.8

v5.18.9

v5.19.1

v5.19.10

v5.19.11

v5.19.12

v5.19.13

v5.19.14

v5.19.15

v5.19.16

v5.19.2

v5.19.3

v5.19.4

v5.19.5

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v5.4.238

v5.4.239

v5.4.240

v5.4.241

v5.4.242

v5.4.243

v5.4.244

v5.4.245

v5.4.246

v5.4.247

v5.4.248

v5.4.249

v5.4.250

v5.4.251

v5.4.252

v5.4.253

v5.4.254

v5.4.255

v5.4.256

v5.4.257

v5.4.258

v5.4.259

v5.4.260

v5.4.261

v5.4.262

v5.4.263

v5.4.264

v5.4.265

v5.4.266

v5.4.267

v5.4.268

v5.4.269

v5.4.270

v5.4.271

v5.4.272

v5.4.273

v5.6.1

v5.6.10

v5.6.11

v5.6.12

v5.6.13

v5.6.14

v5.6.15

v5.6.16

v5.6.17

v5.6.18

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.6.7

v5.6.8

v5.6.9

v5.7.1

v5.7.10

v5.7.11

v5.7.12

v5.7.13

v5.7.14

v5.7.15

v5.7.16

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.7.8

v5.7.9

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.13

v5.8.14

v5.8.15

v5.8.16

v5.8.17

v5.8.18

v5.8.2

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

v5.9.1

v5.9.10

v5.9.11

v5.9.12

v5.9.13

v5.9.14

v5.9.15

v5.9.16

v5.9.2

v5.9.3

v5.9.4

v5.9.5

v5.9.6

v5.9.7

v5.9.8

v5.9.9

v6.*

v6.0.1

v6.0.10

v6.0.11

v6.0.12

v6.0.13

v6.0.14

v6.0.15

v6.0.16

v6.0.17

v6.0.18

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.2

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.9

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.10

v6.10.11

v6.10.12

v6.10.13

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.10

v6.11.11

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.11.6

v6.11.7

v6.11.8

v6.11.9

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.11

v6.13.12

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.10

v6.14.11

v6.14.2

v6.14.3

v6.14.4

v6.14.5

v6.14.6

v6.14.7

v6.14.8

v6.14.9

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.10

v6.15.11

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.16.1

v6.16.10

v6.16.11

v6.16.2

v6.16.3

v6.16.4

v6.16.5

v6.16.6

v6.16.7

v6.16.8

v6.16.9

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.2.15

v6.2.16

v6.2.8

v6.2.9

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.3.1

v6.3.10

v6.3.11

v6.3.12

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.5.1

v6.5.10

v6.5.11

v6.5.12

v6.5.13

v6.5.2

v6.5.3

v6.5.4

v6.5.5

v6.5.6

v6.5.7

v6.5.8

v6.5.9

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.10

v6.8.11

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

v6.9.1

v6.9.10

v6.9.11

v6.9.12

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

v6.9.7

v6.9.8

v6.9.9

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.274

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.215

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.154

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.84

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.24

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.7.12

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.8.3