In the Linux kernel, the following vulnerability has been resolved:
nvme-rdma: unquiesce admin_q before destroy it
Kernel will hang on destroy admin_q while we create ctrl failed, such as following calltrace:
PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" #0 [ff61d23de260fb78] _schedule at ffffffff8323bc15 #1 [ff61d23de260fc08] schedule at ffffffff8323c014 #2 [ff61d23de260fc28] blkmqfreezequeuewait at ffffffff82a3dba1 #3 [ff61d23de260fc78] blkfreezequeue at ffffffff82a4113a #4 [ff61d23de260fc90] blkcleanupqueue at ffffffff82a33006 #5 [ff61d23de260fcb0] nvmerdmadestroyadminqueue at ffffffffc12686ce #6 [ff61d23de260fcc8] nvmerdmasetupctrl at ffffffffc1268ced #7 [ff61d23de260fd28] nvmerdmacreatectrl at ffffffffc126919b #8 [ff61d23de260fd68] nvmfdevwrite at ffffffffc024f362 #9 [ff61d23de260fe38] vfswrite at ffffffff827d5f25 RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
This due to we have quiesced admiq before cancel requests, but forgot to unquiesce before destroy it, as a result we fail to drain the pending requests, and hang on blkmqfreezequeuewait() forever. Here try to reuse nvmerdmateardownadmin_queue() to fix this issue and simplify the code.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@05b436f3cf65c957eff86c5ea5ddfa2604b32c63", "deprecated": false, "digest": { "line_hashes": [ "146814282364145601650650211297588045674", "105228410165773007554768253305606381408", "63567145312735213693589692914867376742", "314214907498335592041846211634379227249", "81873352513006141969461648521052643157", "321632838082792879795391298775582121588", "141604397874075509973358444735098391992", "149051314173745578859037203680719714144", "158894099469284245175450151396229753267", "29584055636602941517066831280901323330" ], "threshold": 0.9 }, "target": { "file": "drivers/nvme/host/rdma.c" }, "id": "CVE-2024-49569-38d0f18a", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@427036030f4d796533dcadba9b845896cb6c10a7", "deprecated": false, "digest": { "line_hashes": [ "205108826528673800170863499508206992237", "258441064696641714948822841079796546884", "250189318534476924154802756225535074039", "314214907498335592041846211634379227249", "81873352513006141969461648521052643157", "321632838082792879795391298775582121588", "141604397874075509973358444735098391992", "149051314173745578859037203680719714144", "158894099469284245175450151396229753267", "29584055636602941517066831280901323330" ], "threshold": 0.9 }, "target": { "file": "drivers/nvme/host/rdma.c" }, "id": "CVE-2024-49569-7ff1e27c", "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5858b687559809f05393af745cbadf06dee61295", "deprecated": false, "digest": { "line_hashes": [ "146814282364145601650650211297588045674", "105228410165773007554768253305606381408", "63567145312735213693589692914867376742", "314214907498335592041846211634379227249", "81873352513006141969461648521052643157", "321632838082792879795391298775582121588", "141604397874075509973358444735098391992", "149051314173745578859037203680719714144", "158894099469284245175450151396229753267", "29584055636602941517066831280901323330" ], "threshold": 0.9 }, "target": { "file": "drivers/nvme/host/rdma.c" }, "id": "CVE-2024-49569-f0f0de90", "signature_type": "Line", "signature_version": "v1" } ]