{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-41053","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.626Z","datePublished":"2024-07-29T14:32:08.958Z","dateUpdated":"2025-05-04T09:21:01.803Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:21:01.803Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix ufshcd_abort_one racing issue\n\nWhen ufshcd_abort_one is racing with the completion ISR, the completed tag\nof the request's mq_hctx pointer will be set to NULL by ISR.  Return\nsuccess when request is completed by ISR because ufshcd_abort_one does not\nneed to do anything.\n\nThe racing flow is:\n\nThread A\nufshcd_err_handler\t\t\t\t\tstep 1\n\t...\n\tufshcd_abort_one\n\t\tufshcd_try_to_abort_task\n\t\t\tufshcd_cmd_inflight(true)\tstep 3\n\t\tufshcd_mcq_req_to_hwq\n\t\t\tblk_mq_unique_tag\n\t\t\t\trq->mq_hctx->queue_num\tstep 5\n\nThread B\nufs_mtk_mcq_intr(cq complete ISR)\t\t\tstep 2\n\tscsi_done\n\t\t...\n\t\t__blk_mq_free_request\n\t\t\trq->mq_hctx = NULL;\t\tstep 4\n\nBelow is KE back trace.\n  ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device.\n  ufshcd_try_to_abort_task: cmd at tag=41 is cleared.\n  Aborting tag 41 / CDB 0x28 succeeded\n  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194\n  pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14\n  lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise]\n   do_mem_abort+0x58/0x118\n   el1_abort+0x3c/0x5c\n   el1h_64_sync_handler+0x54/0x90\n   el1h_64_sync+0x68/0x6c\n   blk_mq_unique_tag+0x8/0x14\n   ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise]\n   process_one_work+0x208/0x4fc\n   worker_thread+0x228/0x438\n   kthread+0x104/0x1d4\n   ret_from_fork+0x10/0x20"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ufs/core/ufshcd.c"],"versions":[{"version":"ff7699d3620763b0dfe2ff93df4528880bf903a8","lessThan":"c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0","status":"affected","versionType":"git"},{"version":"93e6c0e19d5bb12b49534a411c85e21d333731fa","lessThan":"b5a6ac887256762758bfe7f2918cb0233aa544f4","status":"affected","versionType":"git"},{"version":"93e6c0e19d5bb12b49534a411c85e21d333731fa","lessThan":"74736103fb4123c71bf11fb7a6abe7c884c5269e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/ufs/core/ufshcd.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.6.41","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.10","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.5","versionEndExcluding":"6.6.41"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.9.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0"},{"url":"https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4"},{"url":"https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e"}],"title":"scsi: ufs: core: Fix ufshcd_abort_one racing issue","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:46:52.306Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-41053","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:22:35.119070Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:01.661Z"}}]}}