CVE-2024-26671

一、漏洞信息
漏洞编号：CVE-2024-26671
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0
CVSS V2.0分值：
BaseScore：0.0 Low
Vector：CVSS：2.0/
漏洞简述：
In the Linux kernel, the following vulnerability has been resolved:blk-mq: fix IO hang from sbitmap wakeup raceIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-orderedwith the following blk_mq_get_driver_tag() in case of getting drivertag failure.Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observethe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantimeblk_mq_mark_tag_wait() can t get driver tag successfully.This issue can be reproduced by running the following test in loop, andfio hang can be observed in < 30min when running it on my test VMin laptop. modprobe -r scsi_debug modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 dev=ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename fio --filename=/dev/ $dev --direct=1 --rw=randrw --bs=4k --iodepth=1 --runtime=100 --numjobs=40 --time_based --name=test --ioengine=libaioFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), whichis just fine in case of running out of tag.
漏洞公开时间：2024-04-02 15:15:43
漏洞创建时间：2024-04-02 16:30:59
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-26671

更多参考(点击展开)

参考来源	参考链接	来源链接
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26671	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2024-26671	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed	https://bugzilla.suse.com/show_bug.cgi?id=1222357
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2272811	https://bugzilla.suse.com/show_bug.cgi?id=1222357
redhat_bugzilla	https://lore.kernel.org/linux-cve-announce/2024040219-CVE-2024-26671-2543@gregkh/T	https://bugzilla.redhat.com/show_bug.cgi?id=2272811
ubuntu	https://git.kernel.org/linus/5266caaf5660529e3da53004b8b7174cab6374ed (6.8-rc1)	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-26671	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://ubuntu.com/security/notices/USN-6765-1	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://ubuntu.com/security/notices/USN-6766-1	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://ubuntu.com/security/notices/USN-6767-1	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://ubuntu.com/security/notices/USN-6767-2	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://ubuntu.com/security/notices/USN-6766-2	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-26671	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-26671	https://ubuntu.com/security/CVE-2024-26671
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-26671	https://ubuntu.com/security/CVE-2024-26671
debian		https://security-tracker.debian.org/tracker/CVE-2024-26671
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26671	https://ubuntu.com/security/CVE-2024-26671

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
linux		https://git.kernel.org/linus/5266caaf5660529e3da53004b8b7174cab6374ed	https://git.kernel.org/linus/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	ubuntu

二、漏洞分析结构反馈
影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:blk-mq: fix IO hang from sbitmap wakeup raceIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-orderedwith the following blk_mq_get_driver_tag() in case of getting drivertag failure.Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observethe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantimeblk_mq_mark_tag_wait() can t get driver tag successfully.This issue can be reproduced by running the following test in loop, andfio hang can be observed in < 30min when running it on my test VMin laptop.modprobe -r scsi_debugmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4dev=ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basenamefio --filename=/dev/ $dev --direct=1 --rw=randrw --bs=4k --iodepth=1 --runtime=100 --numjobs=40 --time_based --name=test --ioengine=libaioFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), whichis just fine in case of running out of tag.
openEuler评分：
5.5
Vector：CVSS：2.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1(4.19.90):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):受影响
3.openEuler-22.03-LTS(5.10.0):受影响
4.openEuler-22.03-LTS-SP1(5.10.0):受影响
5.openEuler-22.03-LTS-SP2(5.10.0):受影响
6.openEuler-22.03-LTS-SP3(5.10.0):受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next(5.10.0):不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS(5.10.0):否
4.openEuler-22.03-LTS-SP1(5.10.0):否
5.openEuler-22.03-LTS-SP2(5.10.0):否
6.openEuler-22.03-LTS-SP3(5.10.0):否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next(5.10.0):否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1622

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@gatieme ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-26671	None	None	https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0 https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10 https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2 https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56 https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676 https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b
https://ubuntu.com/security/CVE-2024-26671	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2024-26671	None	None	https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0 https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10 https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2 https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56 https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676 https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-26671
https://security-tracker.debian.org/tracker/CVE-2024-26671

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-26671

影响性分析说明：
Reserved.

openEuler评分:(评分和向量)
0.0
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

CVE-2024-26671

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix IO hang from sbitmap wakeup race

In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered
with the following blk_mq_get_driver_tag() in case of getting driver
tag failure.

Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe
the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime
blk_mq_mark_tag_wait() can't get driver tag successfully.

This issue can be reproduced by running the following test in loop, and
fio hang can be observed in < 30min when running it on my test VM
in laptop.

modprobe -r scsi_debug
modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
   		--runtime=100 --numjobs=40 --time_based --name=test \
    	--ioengine=libaio

Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which
is just fine in case of running out of tag.

openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:受影响
6.openEuler-22.03-LTS-SP3:受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next:不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

===========================================================

CVE-2024-26671

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix IO hang from sbitmap wakeup race

In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered
with the following blk_mq_get_driver_tag() in case of getting driver
tag failure.

Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe
the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime
blk_mq_mark_tag_wait() can't get driver tag successfully.

This issue can be reproduced by running the following test in loop, and
fio hang can be observed in < 30min when running it on my test VM
in laptop.

modprobe -r scsi_debug
modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
   		--runtime=100 --numjobs=40 --time_based --name=test \
    	--ioengine=libaio

Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which
is just fine in case of running out of tag.

openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:受影响
6.openEuler-22.03-LTS-SP3:受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next:不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

===========================================================

src-openEuler/kernel

内容风险标识

评论 (9)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-26671

评论 (9)

搜索帮助

src-openEuler/kernel