CVE-2021-47178
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/03/2024
Last modified:
17/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
scsi: target: core: Avoid smp_processor_id() in preemptible code<br />
<br />
The BUG message "BUG: using smp_processor_id() in preemptible [00000000]<br />
code" was observed for TCMU devices with kernel config DEBUG_PREEMPT.<br />
<br />
The message was observed when blktests block/005 was run on TCMU devices<br />
with fileio backend or user:zbc backend [1]. The commit 1130b499b4a7<br />
("scsi: target: tcm_loop: Use LIO wq cmd submission helper") triggered the<br />
symptom. The commit modified work queue to handle commands and changed<br />
&#39;current->nr_cpu_allowed&#39; at smp_processor_id() call.<br />
<br />
The message was also observed at system shutdown when TCMU devices were not<br />
cleaned up [2]. The function smp_processor_id() was called in SCSI host<br />
work queue for abort handling, and triggered the BUG message. This symptom<br />
was observed regardless of the commit 1130b499b4a7 ("scsi: target:<br />
tcm_loop: Use LIO wq cmd submission helper").<br />
<br />
To avoid the preemptible code check at smp_processor_id(), get CPU ID with<br />
raw_smp_processor_id() instead. The CPU ID is used for performance<br />
improvement then thread move to other CPU will not affect the code.<br />
<br />
[1]<br />
<br />
[ 56.468103] run blktests block/005 at 2021-05-12 14:16:38<br />
[ 57.369473] check_preemption_disabled: 85 callbacks suppressed<br />
[ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511<br />
[ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510<br />
[ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506<br />
[ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod]<br />
[ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34<br />
[ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018<br />
[ 57.369617] Call Trace:<br />
[ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507<br />
[ 57.369628] dump_stack+0x6d/0x89<br />
[ 57.369642] check_preemption_disabled+0xc8/0xd0<br />
[ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod]<br />
[ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod]<br />
[ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod]<br />
[ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop]<br />
[ 57.369744] scsi_queue_rq+0x38e/0xc40<br />
[ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0<br />
[ 57.369779] blk_mq_try_issue_directly+0x43/0x90<br />
[ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0<br />
[ 57.369812] submit_bio_noacct+0x46e/0x4e0<br />
[ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0<br />
[ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60<br />
[ 57.369880] generic_file_read_iter+0x89/0x160<br />
[ 57.369898] blkdev_read_iter+0x44/0x60<br />
[ 57.369906] new_sync_read+0x102/0x170<br />
[ 57.369929] vfs_read+0xd4/0x160<br />
[ 57.369941] __x64_sys_pread64+0x6e/0xa0<br />
[ 57.369946] ? lockdep_hardirqs_on+0x79/0x100<br />
[ 57.369958] do_syscall_64+0x3a/0x70<br />
[ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
[ 57.369973] RIP: 0033:0x7f7ed4c1399f<br />
[ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b<br />
[ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011<br />
[ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f<br />
[ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009<br />
[ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001<br />
[ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70<br />
[ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568<br />
[ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34<br />
[ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018<br />
[ 57.370039] Call Trace:<br />
[ 57.370045] dump_stack+0x6d/0x89<br />
[ 57.370056] ch<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.12.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/70ca3c57ff914113f681e657634f7fbfa68e1ad1
- https://git.kernel.org/stable/c/a20b6eaf4f35046a429cde57bee7eb5f13d6857f
- https://git.kernel.org/stable/c/a222d2794c53f8165de20aa91b39e35e4b72bce9
- https://git.kernel.org/stable/c/70ca3c57ff914113f681e657634f7fbfa68e1ad1
- https://git.kernel.org/stable/c/a20b6eaf4f35046a429cde57bee7eb5f13d6857f
- https://git.kernel.org/stable/c/a222d2794c53f8165de20aa91b39e35e4b72bce9