CVE-2024-26627

scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler

Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host
lock every time for deciding if error handler kthread needs to be waken up.

This can be too heavy in case of recovery, such as:

- N hardware queues

- queue depth is M for each hardware queue

- each scsi_host_busy() iterates over (N * M) tag/requests

If recovery is triggered in case that all requests are in-flight, each
scsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called
for the last in-flight request, scsi_host_busy() has been run for (N * M -
1) times, and request has been iterated for (N*M - 1) * (N * M) times.

If both N and M are big enough, hard lockup can be triggered on acquiring
host lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).

Fix the issue by calling scsi_host_busy() outside the host lock. We don't
need the host lock for getting busy count because host the lock never
covers that.

[mkp: Drop unnecessary 'busy' variables pointed out by Bart]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: Saque scsi_host_busy() del bloqueo del host para activar el controlador EH Dentro de scsi_eh_wakeup(), se llama a scsi_host_busy() y se verifica con el bloqueo del host cada vez para decidir si se produce un error. Es necesario activar el controlador kthread. Esto puede ser demasiado pesado en caso de recuperación, como por ejemplo: - N colas de hardware - la profundidad de la cola es M para cada cola de hardware - cada scsi_host_busy() itera sobre (N * M) etiquetas/solicitudes Si la recuperación se activa en caso de que todas las solicitudes están en curso, cada scsi_eh_wakeup() está estrictamente serializado, cuando se llama a scsi_eh_wakeup() para la última solicitud en curso, scsi_host_busy() se ha ejecutado (N * M - 1) veces y la solicitud se ha iterado durante ( N*M - 1) * (N * M) veces. Si tanto N como M son lo suficientemente grandes, se puede activar un bloqueo duro al adquirir el bloqueo del host, y se observa en mpi3mr (128 colas hw, profundidad de cola 8169). Solucione el problema llamando a scsi_host_busy() fuera del bloqueo del host. No necesitamos el bloqueo del host para obtener el recuento de ocupación porque el bloqueo del host nunca cubre eso. [mkp: elimine las variables 'ocupadas' innecesarias señaladas por Bart]

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-03-06 CVE Published
2024-03-06 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/6eb045e092efefafc6687409a6fa6d1dabf0fb69	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f5944853f7a961fedc1227dc8f60393f8936d37c	2024-02-23
https://git.kernel.org/stable/c/d37c1c81419fdef66ebd0747cf76fb8b7d979059	2024-02-23
https://git.kernel.org/stable/c/db6338f45971b4285ea368432a84033690eaf53c	2024-02-05
https://git.kernel.org/stable/c/65ead8468c21c2676d4d06f50b46beffdea69df1	2024-02-05
https://git.kernel.org/stable/c/07e3ca0f17f579491b5f54e9ed05173d6c1d6fcb	2024-02-05
https://git.kernel.org/stable/c/4373534a9850627a2695317944898eb1283a2db0	2024-01-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 6.1.77 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 6.1.77"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 6.6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 6.6.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 6.7.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 6.7.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 6.8"		en		Affected