漏洞标题
nvme-fc:卸载模块时不要徒劳地等待
漏洞描述信息
在Linux内核中,已解决了以下漏洞:
nvme-fc:卸载模块时不要徒劳地等待
模块退出路径在删除所有控制器和释放“剩余ID”之间存在竞态条件。初始提交通过在nvme_delete_ctrl和ida_destroy之间添加同步来防止双重释放。
尽管有一些逻辑试图防止wait_for_completion永远挂起,但它并不能处理所有情况。例如,blktests能够重现模块卸载永远挂起的情况。
如果我们完全依赖于nvme_delete_ctrl路径执行的清理代码,最终将释放所有ID。这使得调用ida_destroy变得没有必要。我们只需要确保在离开nvme_fc_exit_module之前,所有nvme_delete_ctrl代码都已执行。这是通过刷新nvme_delete_wq工作队列来实现的。
趁此机会,也删除未使用的nvme_fc_wq工作队列。
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
漏洞类别
使用共享资源的并发执行不恰当同步问题(竞争条件)
漏洞标题
nvme-fc: do not wait in vain when unloading module
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: do not wait in vain when unloading module
The module exit path has race between deleting all controllers and
freeing 'left over IDs'. To prevent double free a synchronization
between nvme_delete_ctrl and ida_destroy has been added by the initial
commit.
There is some logic around trying to prevent from hanging forever in
wait_for_completion, though it does not handling all cases. E.g.
blktests is able to reproduce the situation where the module unload
hangs forever.
If we completely rely on the cleanup code executed from the
nvme_delete_ctrl path, all IDs will be freed eventually. This makes
calling ida_destroy unnecessary. We only have to ensure that all
nvme_delete_ctrl code has been executed before we leave
nvme_fc_exit_module. This is done by flushing the nvme_delete_wq
workqueue.
While at it, remove the unused nvme_fc_wq workqueue too.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存双重释放。
CVSS信息
N/A
漏洞类别
其他