CVE-2024-43855

EUVD-2024-40505

17.08.2024, 10:15

In the Linux kernel, the following vulnerability has been resolved:

md: fix deadlock between mddev_suspend and flush bio

Deadlock occurs when mddev is being suspended while some flush bio is in
progress. It is a complex issue.

T1. the first flush is at the ending stage, it clears 'mddev->flush_bio'
    and tries to submit data, but is blocked because mddev is suspended
    by T4.
T2. the second flush sets 'mddev->flush_bio', and attempts to queue
    md_submit_flush_data(), which is already running (T1) and won't
    execute again if on the same CPU as T1.
T3. the third flush inc active_io and tries to flush, but is blocked because
    'mddev->flush_bio' is not NULL (set by T2).
T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc
    by T3.

  T1		T2		T3		T4
  (flush 1)	(flush 2)	(third 3)	(suspend)
  md_submit_flush_data
   mddev->flush_bio = NULL;
   .
   .	 	md_flush_request
   .	  	 mddev->flush_bio = bio
   .	  	 queue submit_flushes
   .		 .
   .		 .		md_handle_request
   .		 .		 active_io + 1
   .		 .		 md_flush_request
   .		 .		  wait !mddev->flush_bio
   .		 .
   .		 .				mddev_suspend
   .		 .				 wait !active_io
   .		 .
   .		 submit_flushes
   .		 queue_work md_submit_flush_data
   .		 //md_submit_flush_data is already running (T1)
   .
   md_handle_request
    wait resume

The root issue is non-atomic inc/dec of active_io during flush process.
active_io is dec before md_submit_flush_data is queued, and inc soon
after md_submit_flush_data() run.
  md_flush_request
    active_io + 1
    submit_flushes
      active_io - 1
      md_submit_flush_data
        md_handle_request
        active_io + 1
          make_request
        active_io - 1

If active_io is dec after md_handle_request() instead of within
submit_flushes(), make_request() can be called directly intead of
md_handle_request() in md_submit_flush_data(), and active_io will
only inc and dec once in the whole flush process. Deadlock will be
fixed.

Additionally, the only difference between fixing the issue and before is
that there is no return error handling of make_request(). But after
previous patch cleaned md_write_start(), make_requst() only return error
in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456,
md/raid456: fix a deadlock for dm-raid456 while io concurrent with
reshape)". Since dm always splits data and flush operation into two
separate io, io size of flush submitted by dm always is 0, make_request()
will not be called in md_submit_flush_data(). To prevent future
modifications from introducing issues, add WARN_ON to ensure
make_request() no error is returned in this context.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 < 6.1.103
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.44
linux	linux_kernel	6.7 ≤ 𝑥 < 6.10.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.148-1 fixed
bookworm (security)	6.1.158-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.247-1 fixed
forky	6.17.13-1 fixed
sid	6.17.13-1 fixed
trixie	6.12.57-1 fixed
trixie (security)	6.12.48-1 fixed

linux-6.1

bullseye (security)

6.1.158-1~deb11u1

fixed

Ubuntu Releases

Ubuntu Product

Codename

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-48.48~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-lts-xenial

bionic	dne
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	not-affected
xenial	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-allwinner-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-hwe

bionic	dne
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1017.20 released
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde

bionic	dne
focal	ignored
jammy	not-affected
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-bluefield

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-aws-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1017.19 released
oracular	not-affected
trusty	dne
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke

bionic	dne
focal	ignored
jammy	not-affected
noble	Fixed 6.8.0-1013.17 released
oracular	dne
trusty	dne
xenial	ignored

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke-5.15

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gkeop-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-ibm-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-iotg

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gkeop

bionic	dne
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1002.4 released
oracular	dne
trusty	dne
xenial	dne

linux-intel-iotg-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-iot

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency

bionic	dne
focal	dne
jammy	not-affected
noble	Fixed 6.8.0-48.48.3 released
oracular	not-affected
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-48.48.3~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia

bionic	dne
focal	dne
jammy	not-affected
noble	Fixed 6.8.0-1017.19 released
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-1017.19~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	Fixed 6.8.0-1017.19.1 released
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-oem-5.6

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.10

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.13

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.14

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.17

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.0

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.1

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
noble	Fixed 6.8.0-1016.16 released
oracular	dne
trusty	dne
xenial	dne

linux-raspi2

bionic	ignored
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv

bionic	dne
focal	ignored
jammy	ignored
noble	Fixed 6.8.0-48.48.1 released
oracular	not-affected
trusty	dne
xenial	dne

linux-riscv-5.8

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.11

bionic	dne
focal	ignored
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.15

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-48.48.1~22.04.2 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-5.19

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-6.2

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-6.5

bionic	dne
focal	dne
jammy	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-xilinx-zynqmp

bionic	dne
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-48.48 released
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1018.20 released
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-ibm

bionic	dne
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1015.15 released
oracular	dne
trusty	dne
xenial	dne

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1015.16 released
oracular	not-affected
trusty	dne
xenial	not-affected

linux-raspi

bionic	dne
focal	not-affected
jammy	not-affected
noble	Fixed 6.8.0-1014.16 released
oracular	not-affected
trusty	dne
xenial	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	Fixed 6.8.0-2013.14 released
oracular	dne
trusty	dne
xenial	dne

linux-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	Fixed 6.8.1-1011.11 released
oracular	not-affected
trusty	dne
xenial	dne

linux-aws-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-1018.19~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-1017.19~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-1015.15~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.8

bionic	dne
focal	dne
jammy	Fixed 6.8.0-1017.20~22.04.1 released
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.11

bionic	dne
focal	dne
jammy	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf

https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6

https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b

https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html