In the Linux kernel, the following vulnerability has been resolved:
nvme-rdma: unquiesce admin_q before destroy it
Kernel will hang on destroy admin_q while we create ctrl failed, such as following calltrace:
PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" #0 [ff61d23de260fb78] _schedule at ffffffff8323bc15 #1 [ff61d23de260fc08] schedule at ffffffff8323c014 #2 [ff61d23de260fc28] blkmqfreezequeuewait at ffffffff82a3dba1 #3 [ff61d23de260fc78] blkfreezequeue at ffffffff82a4113a #4 [ff61d23de260fc90] blkcleanupqueue at ffffffff82a33006 #5 [ff61d23de260fcb0] nvmerdmadestroyadminqueue at ffffffffc12686ce #6 [ff61d23de260fcc8] nvmerdmasetupctrl at ffffffffc1268ced #7 [ff61d23de260fd28] nvmerdmacreatectrl at ffffffffc126919b #8 [ff61d23de260fd68] nvmfdevwrite at ffffffffc024f362 #9 [ff61d23de260fe38] vfswrite at ffffffff827d5f25 RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
This due to we have quiesced admiq before cancel requests, but forgot to unquiesce before destroy it, as a result we fail to drain the pending requests, and hang on blkmqfreezequeuewait() forever. Here try to reuse nvmerdmateardownadmin_queue() to fix this issue and simplify the code.
[
{
"digest": {
"line_hashes": [
"146814282364145601650650211297588045674",
"105228410165773007554768253305606381408",
"63567145312735213693589692914867376742",
"314214907498335592041846211634379227249",
"81873352513006141969461648521052643157",
"321632838082792879795391298775582121588",
"141604397874075509973358444735098391992",
"149051314173745578859037203680719714144",
"158894099469284245175450151396229753267",
"29584055636602941517066831280901323330"
],
"threshold": 0.9
},
"id": "CVE-2024-49569-38d0f18a",
"target": {
"file": "drivers/nvme/host/rdma.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05b436f3cf65c957eff86c5ea5ddfa2604b32c63",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"205108826528673800170863499508206992237",
"258441064696641714948822841079796546884",
"250189318534476924154802756225535074039",
"314214907498335592041846211634379227249",
"81873352513006141969461648521052643157",
"321632838082792879795391298775582121588",
"141604397874075509973358444735098391992",
"149051314173745578859037203680719714144",
"158894099469284245175450151396229753267",
"29584055636602941517066831280901323330"
],
"threshold": 0.9
},
"id": "CVE-2024-49569-7ff1e27c",
"target": {
"file": "drivers/nvme/host/rdma.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@427036030f4d796533dcadba9b845896cb6c10a7",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"146814282364145601650650211297588045674",
"105228410165773007554768253305606381408",
"63567145312735213693589692914867376742",
"314214907498335592041846211634379227249",
"81873352513006141969461648521052643157",
"321632838082792879795391298775582121588",
"141604397874075509973358444735098391992",
"149051314173745578859037203680719714144",
"158894099469284245175450151396229753267",
"29584055636602941517066831280901323330"
],
"threshold": 0.9
},
"id": "CVE-2024-49569-f0f0de90",
"target": {
"file": "drivers/nvme/host/rdma.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5858b687559809f05393af745cbadf06dee61295",
"signature_type": "Line"
}
]