{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26671", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.150Z", "datePublished": "2024-04-02T06:49:13.834Z", "dateUpdated": "2026-05-11T20:01:56.325Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:01:56.325Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-mq.c"], "versions": [{"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "9525b38180e2753f0daa1a522b7767a2aa969676", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "7610ba1319253225a9ba8a9d28d472fc883b4e2f", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "89e0e66682e1538aeeaa3109503473663cd24c8b", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "1d9c777d3e70bdc57dddf7a14a80059d65919e56", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "6d8b01624a2540336a32be91f25187a433af53a0", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "f1bc0d8163f8ee84a8d5affdf624cfad657df1d2", "status": "affected", "versionType": "git"}, {"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "5266caaf5660529e3da53004b8b7174cab6374ed", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-mq.c"], "versions": [{"version": "4.11", "status": "affected"}, {"version": "0", "lessThan": "4.11", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.307", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.269", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.210", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.149", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.77", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.16", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.4", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "4.19.307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.4.269"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.10.210"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.15.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.1.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.6.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.7.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"}, {"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"}, {"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"}, {"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"}, {"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"}, {"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"}, {"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"}, {"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"}], "title": "blk-mq: fix IO hang from sbitmap wakeup race", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.464Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:32.693372Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:37.992Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.464Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:32.693372Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:17.766Z"}}], "cna": {"title": "blk-mq: fix IO hang from sbitmap wakeup race", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "9525b38180e2753f0daa1a522b7767a2aa969676", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "7610ba1319253225a9ba8a9d28d472fc883b4e2f", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "89e0e66682e1538aeeaa3109503473663cd24c8b", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "1d9c777d3e70bdc57dddf7a14a80059d65919e56", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "6d8b01624a2540336a32be91f25187a433af53a0", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "f1bc0d8163f8ee84a8d5affdf624cfad657df1d2", "versionType": "git"}, {"status": "affected", "version": "da55f2cc78418dee88400aafbbaed19d7ac8188e", "lessThan": "5266caaf5660529e3da53004b8b7174cab6374ed", "versionType": "git"}], "programFiles": ["block/blk-mq.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.11"}, {"status": "unaffected", "version": "0", "lessThan": "4.11", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.307", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.269", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.210", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.149", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.77", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.16", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.4", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["block/blk-mq.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"}, {"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"}, {"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"}, {"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"}, {"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"}, {"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"}, {"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"}, {"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.307", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.269", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.210", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.149", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.77", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.16", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.4", "versionStartIncluding": "4.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "4.11"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:01:56.325Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26671", "state": "PUBLISHED", "dateUpdated": "2026-05-11T20:01:56.325Z", "dateReserved": "2024-02-19T14:20:24.150Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-02T06:49:13.834Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B4E1A83-9957-4265-94C0-516374C8CCFD", "versionEndExcluding": "4.19.307", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "319545F3-D56C-4751-BEBF-0505478BBAE8", "versionEndExcluding": "5.4.269", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5CB4CA6-A9A0-4AFD-9102-8CF94D708170", "versionEndExcluding": "5.10.210", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D0465BB-4053-4E15-9137-6696EBAE90FD", "versionEndExcluding": "5.15.149", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FA28946-970D-4F4D-B759-4E77B28809B5", "versionEndExcluding": "6.1.77", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69D6757C-7F67-4658-A99A-EA157BABCF3F", "versionEndExcluding": "6.7.4", "versionStartIncluding": "6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: blk-mq: corrige el bloqueo de IO de la carrera de activaci\u00f3n del mapa de bits En blk_mq_mark_tag_wait(), __add_wait_queue() se puede reordenar con el siguiente blk_mq_get_driver_tag() en caso de que se produzca un error en la etiqueta del controlador. Luego, en __sbitmap_queue_wake_up(), waitqueue_active() puede no observar al camarero agregado en blk_mq_mark_tag_wait() y no despertar nada, mientras tanto, blk_mq_mark_tag_wait() no puede obtener la etiqueta del controlador correctamente. Este problema se puede reproducir ejecutando la siguiente prueba en bucle, y se puede observar un bloqueo de fio en &lt; 30 minutos cuando lo ejecuto en mi m\u00e1quina virtual de prueba en una computadora port\u00e1til. modprobe -r scsi_debug modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block /* | cabeza -1 | xargs basename` fio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --io Depth=1 \\ --runtime=100 --numjobs=40 --time_based - -name=test \\ --ioengine=libaio Solucione el problema agregando una barrera expl\u00edcita en blk_mq_mark_tag_wait(), lo cual est\u00e1 bien en caso de quedarse sin etiqueta."}], "id": "CVE-2024-26671", "lastModified": "2025-03-17T15:03:48.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-02T07:15:43.830", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2950", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.rt7.342.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:3138", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:10262", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.81.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:2394", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.13.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2394", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.13.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:9942", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "kernel-0:5.14.0-70.121.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:9943", "cpe": "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.121.1.rt21.193.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:8613", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.90.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8614", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.90.1.rt14.375.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-30T00:00:00Z"}], "bugzilla": {"description": "kernel: blk-mq: fix IO hang from sbitmap wakeup race", "id": "2272811", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272811"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblk-mq: fix IO hang from sbitmap wakeup race\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\nmodprobe -r scsi_debug\nmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\ndev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\nfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n--runtime=100 --numjobs=40 --time_based --name=test \\\n--ioengine=libaio\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag."], "name": "CVE-2024-26671", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26671\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26671\nhttps://lore.kernel.org/linux-cve-announce/2024040219-CVE-2024-26671-2543@gregkh/T"], "statement": "This issue is fixed in RHEL-9.4 and above (including RHEL 8.10)\n~~~\na7f97b4cae32 (in rhel-9.4, rhel-9.5) blk-mq: fix IO hang from sbitmap wakeup race \n098ab94a5112 (in rhel-8.10) blk-mq: fix IO hang from sbitmap wakeup race\n~~~\nPlease note that while RHEL-9 kernel-rt still appears as affected, it has been fixed in the same RHSA as RHEL-9 kernel. This is because from RHEL-9.3 onwards, the kernel and kernel-rt fixes are bundled together in a single errata.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. The environment leverages malicious code protections such as IPS/IDS and antimalware solutions that detect and respond to indicators in real time, limiting the impact of exploitation attempts. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks. In the case of successful exploitation, detection and containment controls are in place to limit impacts by alerting on anomalous system behavior in real time, while process isolation and automated orchestration via Kubernetes minimize the likelihood of concurrent execution scenarios that would trigger the race condition and help contain the impact to a single process.", "threat_severity": "Moderate"}

{}