{
  "threat_severity" : "Moderate",
  "public_date" : "2024-08-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: md: fix deadlock between mddev_suspend and flush bio",
    "id" : "2305513",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2305513"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd: fix deadlock between mddev_suspend and flush bio\nDeadlock occurs when mddev is being suspended while some flush bio is in\nprogress. It is a complex issue.\nT1. the first flush is at the ending stage, it clears 'mddev->flush_bio'\nand tries to submit data, but is blocked because mddev is suspended\nby T4.\nT2. the second flush sets 'mddev->flush_bio', and attempts to queue\nmd_submit_flush_data(), which is already running (T1) and won't\nexecute again if on the same CPU as T1.\nT3. the third flush inc active_io and tries to flush, but is blocked because\n'mddev->flush_bio' is not NULL (set by T2).\nT4. mddev_suspend() is called and waits for active_io dec to 0 which is inc\nby T3.\nT1T2T3T4\n(flush 1)(flush 2)(third 3)(suspend)\nmd_submit_flush_data\nmddev->flush_bio = NULL;\n.\n. md_flush_request\n.   mddev->flush_bio = bio\n.   queue submit_flushes\n. .\n. .md_handle_request\n. . active_io + 1\n. . md_flush_request\n. .  wait !mddev->flush_bio\n. .\n. .mddev_suspend\n. . wait !active_io\n. .\n. submit_flushes\n. queue_work md_submit_flush_data\n. //md_submit_flush_data is already running (T1)\n.\nmd_handle_request\nwait resume\nThe root issue is non-atomic inc/dec of active_io during flush process.\nactive_io is dec before md_submit_flush_data is queued, and inc soon\nafter md_submit_flush_data() run.\nmd_flush_request\nactive_io + 1\nsubmit_flushes\nactive_io - 1\nmd_submit_flush_data\nmd_handle_request\nactive_io + 1\nmake_request\nactive_io - 1\nIf active_io is dec after md_handle_request() instead of within\nsubmit_flushes(), make_request() can be called directly intead of\nmd_handle_request() in md_submit_flush_data(), and active_io will\nonly inc and dec once in the whole flush process. Deadlock will be\nfixed.\nAdditionally, the only difference between fixing the issue and before is\nthat there is no return error handling of make_request(). But after\nprevious patch cleaned md_write_start(), make_requst() only return error\nin raid5_make_request() by dm-raid, see commit 41425f96d7aa (\"dm-raid456,\nmd/raid456: fix a deadlock for dm-raid456 while io concurrent with\nreshape)\". Since dm always splits data and flush operation into two\nseparate io, io size of flush submitted by dm always is 0, make_request()\nwill not be called in md_submit_flush_data(). To prevent future\nmodifications from introducing issues, add WARN_ON to ensure\nmake_request() no error is returned in this context.", "A denial of service vulnerability exists in the Linux kernel. A deadlock condition occurs when mddev is being suspended while some of the flush bio is in progress, leading to a loss of availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3506",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.35.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3506",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.35.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-43855\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43855\nhttps://lore.kernel.org/linux-cve-announce/2024081734-CVE-2024-43855-b78a@gregkh/T" ],
  "name" : "CVE-2024-43855",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}