Skip to content

In the Linux kernel, the following vulnerability has been...

Moderate severity Unreviewed Published Sep 4, 2024 to the GitHub Advisory Database • Updated Sep 6, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix deadlock during RTC update

There is a deadlock when runtime suspend waits for the flush of RTC work,
and the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume.

Here is deadlock backtrace:

kworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367
ptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff
__switch_to+0x1a8/0x2d4
__schedule+0x684/0xa98
schedule+0x48/0xc8
schedule_timeout+0x48/0x170
do_wait_for_common+0x108/0x1b0
wait_for_completion+0x44/0x60
__flush_work+0x39c/0x424
__cancel_work_sync+0xd8/0x208
cancel_delayed_work_sync+0x14/0x28
__ufshcd_wl_suspend+0x19c/0x480
ufshcd_wl_runtime_suspend+0x3c/0x1d4
scsi_runtime_suspend+0x78/0xc8
__rpm_callback+0x94/0x3e0
rpm_suspend+0x2d4/0x65c
__pm_runtime_suspend+0x80/0x114
scsi_runtime_idle+0x38/0x6c
rpm_idle+0x264/0x338
__pm_runtime_idle+0x80/0x110
ufshcd_rtc_work+0x128/0x1e4
process_one_work+0x26c/0x650
worker_thread+0x260/0x3d8
kthread+0x110/0x134
ret_from_fork+0x10/0x20

Skip updating RTC if RPM state is not RPM_ACTIVE.

References

Published by the National Vulnerability Database Sep 4, 2024
Published to the GitHub Advisory Database Sep 4, 2024
Last updated Sep 6, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-44953

GHSA ID

GHSA-g477-g2gm-cjmf

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.