CVE-2024-41053

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.43

Description The issue arises when ufshcd abort one is racing with the completion ISR, causing the completed tag of the request's mq hctx pointer to be set to NULL by ISR. This results in a kernel NULL pointer dereference. The racing flow involves two threads: Thread A, which calls ufshcd err handler, ufshcd abort one, ufshcd try to abort task, and ufshcd mcq req to hwq, and Thread B, which calls ufs mtk mcq intr (cq complete ISR), scsi done, and blk mq free request. The backtrace shows the error occurring at blk mq unique tag+0x8/0x14.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.43 or later. As a temporary workaround, consider disabling the ufshcd abort one function until a patch is available. Restrict access to the vulnerable ufshcd mcq req to hwq module to minimize the risk of exploitation. Avoid using the rq->mq hctx->queue num parameter in the affected API endpoint until the issue is resolved.