CVE-2024-27435
nvme: fix reconnection fail due to reserved tag allocation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA,
admin_q reconnect failed forever while remote target and network is ok.
After dig into it, we found it may caused by a ABBA deadlock due to tag
allocation. In my case, the tag was hold by a keep alive request
waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the
request maked as idle and will not process before reset success. As
fabric_q shares tagset with admin_q, while reconnect remote target, we
need a tag for connect command, but the only one reserved tag was held
by keep alive command which waiting inside admin_q. As a result, we
failed to reconnect admin_q forever. In order to fix this issue, I
think we should keep two reserved tags for admin queue.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nvme: se corrigió el error de reconexión debido a la asignación de etiquetas reservadas. Encontramos un problema en el entorno de producción al usar NVMe sobre RDMA, la reconexión de admin_q falló para siempre mientras el objetivo remoto y la red están bien. Después de investigarlo, descubrimos que puede deberse a un punto muerto de ABBA debido a la asignación de etiquetas. En mi caso, la etiqueta estaba retenida por una solicitud de mantenimiento en espera dentro de admin_q, ya que desactivamos admin_q mientras reiniciamos Ctrl, por lo que la solicitud se realizó como inactiva y no se procesará antes de que el reinicio se realice correctamente. Como fabric_q comparte el conjunto de etiquetas con admin_q, mientras reconectamos el objetivo remoto, necesitamos una etiqueta para el comando de conexión, pero la única etiqueta reservada estaba mantenida por el comando Keep Alive que esperaba dentro de admin_q. Como resultado, no pudimos volver a conectar admin_q para siempre. Para solucionar este problema, creo que deberíamos mantener dos etiquetas reservadas para la cola de administración.
In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue.
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-25 CVE Reserved
- 2024-05-17 CVE Published
- 2024-12-19 CVE Updated
- 2025-03-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/ed01fee283a067c72b2d6500046080dbc1bb9dae | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-27435 | 2024-07-17 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2281131 | 2024-07-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 6.1.83" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 6.6.23" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 6.7.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 6.8.2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 6.9" | en |
Affected
| ||||||