Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-46984", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-27T18:42:55.946Z", "datePublished": "2024-02-28T08:13:12.835Z", "dateUpdated": "2025-05-04T07:01:44.056Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:01:44.056Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkyber: fix out of bounds access when preempted\n\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\n\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\n\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\n\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c", "block/blk-mq-sched.c", "block/kyber-iosched.c", "block/mq-deadline.c", "include/linux/elevator.h"], "versions": [{"version": "a6088845c2bf754d6cb2572b484180680b037804", "lessThan": "0b6b4b90b74c27bea968c214d820ba4254b903a5", "status": "affected", "versionType": "git"}, {"version": "a6088845c2bf754d6cb2572b484180680b037804", "lessThan": "54dbe2d2c1fcabf650c7a8b747601da355cd7f9f", "status": "affected", "versionType": "git"}, {"version": "a6088845c2bf754d6cb2572b484180680b037804", "lessThan": "a287cd84e047045f5a4d4da793414e848de627c6", "status": "affected", "versionType": "git"}, {"version": "a6088845c2bf754d6cb2572b484180680b037804", "lessThan": "2ef3c76540c49167a0bc3d5f80d00fd1fc4586df", "status": "affected", "versionType": "git"}, {"version": "a6088845c2bf754d6cb2572b484180680b037804", "lessThan": "efed9a3337e341bd0989161b97453b52567bc59d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/bfq-iosched.c", "block/blk-mq-sched.c", "block/kyber-iosched.c", "block/mq-deadline.c", "include/linux/elevator.h"], "versions": [{"version": "4.18", "status": "affected"}, {"version": "0", "lessThan": "4.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.120", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.38", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.11.22", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.5", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.4.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.10.38"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.11.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.12.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5"}, {"url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f"}, {"url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6"}, {"url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df"}, {"url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d"}], "title": "kyber: fix out of bounds access when preempted", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:37.898Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-46984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:01:11.596982Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:40.792Z"}}]}}