CVE-2021-47041
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/02/2024
Last modified:
06/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nvmet-tcp: fix incorrect locking in state_change sk callback<br />
<br />
We are not changing anything in the TCP connection state so<br />
we should not take a write_lock but rather a read lock.<br />
<br />
This caused a deadlock when running nvmet-tcp and nvme-tcp<br />
on the same system, where state_change callbacks on the<br />
host and on the controller side have causal relationship<br />
and made lockdep report on this with blktests:<br />
<br />
================================<br />
WARNING: inconsistent lock state<br />
5.12.0-rc3 #1 Tainted: G I<br />
--------------------------------<br />
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage.<br />
nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes:<br />
ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp]<br />
{IN-SOFTIRQ-W} state was registered at:<br />
__lock_acquire+0x79b/0x18d0<br />
lock_acquire+0x1ca/0x480<br />
_raw_write_lock_bh+0x39/0x80<br />
nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp]<br />
tcp_fin+0x2a8/0x780<br />
tcp_data_queue+0xf94/0x1f20<br />
tcp_rcv_established+0x6ba/0x1f00<br />
tcp_v4_do_rcv+0x502/0x760<br />
tcp_v4_rcv+0x257e/0x3430<br />
ip_protocol_deliver_rcu+0x69/0x6a0<br />
ip_local_deliver_finish+0x1e2/0x2f0<br />
ip_local_deliver+0x1a2/0x420<br />
ip_rcv+0x4fb/0x6b0<br />
__netif_receive_skb_one_core+0x162/0x1b0<br />
process_backlog+0x1ff/0x770<br />
__napi_poll.constprop.0+0xa9/0x5c0<br />
net_rx_action+0x7b3/0xb30<br />
__do_softirq+0x1f0/0x940<br />
do_softirq+0xa1/0xd0<br />
__local_bh_enable_ip+0xd8/0x100<br />
ip_finish_output2+0x6b7/0x18a0<br />
__ip_queue_xmit+0x706/0x1aa0<br />
__tcp_transmit_skb+0x2068/0x2e20<br />
tcp_write_xmit+0xc9e/0x2bb0<br />
__tcp_push_pending_frames+0x92/0x310<br />
inet_shutdown+0x158/0x300<br />
__nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp]<br />
nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp]<br />
nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp]<br />
nvme_do_delete_ctrl+0x100/0x10c [nvme_core]<br />
nvme_sysfs_delete.cold+0x8/0xd [nvme_core]<br />
kernfs_fop_write_iter+0x2c7/0x460<br />
new_sync_write+0x36c/0x610<br />
vfs_write+0x5c0/0x870<br />
ksys_write+0xf9/0x1d0<br />
do_syscall_64+0x33/0x40<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
irq event stamp: 10687<br />
hardirqs last enabled at (10687): [] _raw_spin_unlock_irqrestore+0x2d/0x40<br />
hardirqs last disabled at (10686): [] _raw_spin_lock_irqsave+0x68/0x90<br />
softirqs last enabled at (10684): [] __do_softirq+0x608/0x940<br />
softirqs last disabled at (10649): [] do_softirq+0xa1/0xd0<br />
<br />
other info that might help us debug this:<br />
Possible unsafe locking scenario:<br />
<br />
CPU0<br />
----<br />
lock(clock-AF_INET);<br />
<br />
lock(clock-AF_INET);<br />
<br />
*** DEADLOCK ***<br />
<br />
5 locks held by nvme/1324:<br />
#0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0<br />
#1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460<br />
#2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330<br />
#3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp]<br />
#4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300<br />
<br />
stack backtrace:<br />
CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1<br />
Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020<br />
Call Trace:<br />
dump_stack+0x93/0xc2<br />
mark_lock_irq.cold+0x2c/0xb3<br />
? verify_lock_unused+0x390/0x390<br />
? stack_trace_consume_entry+0x160/0x160<br />
? lock_downgrade+0x100/0x100<br />
? save_trace+0x88/0x5e0<br />
? _raw_spin_unlock_irqrestore+0x2d/0x40<br />
mark_lock+0x530/0x1470<br />
? mark_lock_irq+0x1d10/0x1d10<br />
? enqueue_timer+0x660/0x660<br />
mark_usage+0x215/0x2a0<br />
__lock_acquire+0x79b/0x18d0<br />
? tcp_schedule_loss_probe.part.0+0x38c/0x520<br />
lock_acquire+0x1ca/0x480<br />
? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]<br />
? rcu_read_unlock+0x40/0x40<br />
? tcp_mtu_probe+0x1ae0/0x1ae0<br />
? kmalloc_reserve+0xa0/0xa0<br />
? sysfs_file_ops+0x170/0x170<br />
_raw_read_lock+0x3d/0xa0<br />
? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]<br />
nvme_tcp_state_change+0x21/0x150 [nvme_tcp]<br />
? sysfs_file_ops<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.0 (including) | 5.4.119 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.37 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.11.21 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12 (including) | 5.12.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/06beaa1a9f6e501213195e47c30416032fd2bbd5
- https://git.kernel.org/stable/c/60ade0d56b06537a28884745059b3801c78e03bc
- https://git.kernel.org/stable/c/906c538340dde6d891df89fe7dac8eaa724e40da
- https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777
- https://git.kernel.org/stable/c/b5332a9f3f3d884a1b646ce155e664cc558c1722
- https://git.kernel.org/stable/c/06beaa1a9f6e501213195e47c30416032fd2bbd5
- https://git.kernel.org/stable/c/60ade0d56b06537a28884745059b3801c78e03bc
- https://git.kernel.org/stable/c/906c538340dde6d891df89fe7dac8eaa724e40da
- https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777
- https://git.kernel.org/stable/c/b5332a9f3f3d884a1b646ce155e664cc558c1722