CVE-2024-40925

{"id": "CVE-2024-40925", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-12T13:15:15.343", "references": [{"url": "https://git.kernel.org/stable/c/87907bd69721a8506618a954d41a1de3040e88aa", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0321c812d89c5910d8da8e4b10c891c6b96ff70", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe1e395563ccb051e9dbd8fa99859f5caaad2e71", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87907bd69721a8506618a954d41a1de3040e88aa", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d0321c812d89c5910d8da8e4b10c891c6b96ff70", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/fe1e395563ccb051e9dbd8fa99859f5caaad2e71", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix request.queuelist usage in flush\n\nFriedrich Weber reported a kernel crash problem and bisected to commit\n81ada09cc25e (\"blk-flush: reuse rq queuelist in flush state machine\").\n\nThe root cause is that we use \"list_move_tail(&rq->queuelist, pending)\"\nin the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since\nit's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch().\nWe don't initialize its queuelist just for this first request, although\nthe queuelist of all later popped requests will be initialized.\n\nFix it by changing to use \"list_add_tail(&rq->queuelist, pending)\" so\nrq->queuelist doesn't need to be initialized. It should be ok since rq\ncan't be on any list when PREFLUSH or POSTFLUSH, has no move actually.\n\nPlease note the commit 81ada09cc25e (\"blk-flush: reuse rq queuelist in\nflush state machine\") also has another requirement that no drivers would\ntouch rq->queuelist after blk_mq_end_request() since we will reuse it to\nadd rq to the post-flush pending list in POSTFLUSH. If this is not true,\nwe will have to revert that commit IMHO.\n\nThis updated version adds \"list_del_init(&rq->queuelist)\" in flush rq\ncallback since the dm layer may submit request of a weird invalid format\n(REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add\nif without this \"list_del_init(&rq->queuelist)\". The weird invalid format\nproblem should be fixed in dm layer."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bloque: corrige el uso de request.queuelist en Flush Friedrich Weber inform\u00f3 un problema de falla del kernel y lo bisec\u00f3 para el commit 81ada09cc25e (\"blk-flush: reutilizar rq queuelist en la m\u00e1quina de estado de descarga\"). La causa principal es que usamos \"list_move_tail(&rq->queuelist, pendiente)\" en las secuencias PREFLUSH/POSTFLUSH. Pero rq->queuelist.next == xxx ya que sali\u00f3 del plug->cached_rq en __blk_mq_alloc_requests_batch(). No inicializamos su lista de colas solo para esta primera solicitud, aunque se inicializar\u00e1 la lista de colas de todas las solicitudes emergentes posteriores. Solucionelo cambiando para usar \"list_add_tail(&rq->queuelist, pendiente)\" para que no sea necesario inicializar rq->queuelist. Deber\u00eda estar bien ya que rq no puede estar en ninguna lista cuando PREFLUSH o POSTFLUSH, en realidad no tiene movimiento. Tenga en cuenta que el commit 81ada09cc25e (\"blk-flush: reutilizar rq queuelist en la m\u00e1quina de estado de descarga\") tambi\u00e9n tiene otro requisito de que ning\u00fan controlador toque rq->queuelist despu\u00e9s de blk_mq_end_request() ya que lo reutilizaremos para agregar rq al post-flush lista pendiente en POSTFLUSH. Si esto no es cierto, tendremos que revertir ese commit en mi humilde opini\u00f3n. Esta versi\u00f3n actualizada agrega \"list_del_init(&rq->queuelist)\" en la devoluci\u00f3n de llamada de Flush rq ya que la capa dm puede enviar una solicitud de un formato extra\u00f1o no v\u00e1lido (REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), lo que provoca el doble list_add si no se tiene este \"list_del_init(&rq->queuelist) \". El extra\u00f1o problema del formato no v\u00e1lido deber\u00eda solucionarse en la capa dm."}], "lastModified": "2025-09-17T15:15:28.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4403344-197F-4A92-9E46-627CE50A9B83", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}