CVE-2024-41054: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by the ISR. And ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace: ufshcd_try_to_abort_task: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise] Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Call trace: dump_backtrace+0xf8/0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
AI Analysis
Technical Summary
CVE-2024-41054 is a race condition vulnerability identified in the Linux kernel's UFS (Universal Flash Storage) subsystem, specifically within the MediaTek UFS host controller driver (ufs_mediatek_mod_ise). The flaw arises due to a race between the ufshcd_clear_cmd function and the completion interrupt service routine (ISR) ufsm_mtk_mcq_intr. In this scenario, the ISR sets the mq_hctx pointer of a completed request to NULL, while concurrently, ufshcd_clear_cmd attempts to access this pointer via ufshcd_mcq_req_to_hwq, leading to a NULL pointer dereference. This race condition can cause a kernel NULL pointer dereference, resulting in a kernel panic or system crash. The backtrace provided indicates that the fault occurs during the blk_mq_unique_tag call, triggered by the error handler's attempt to abort a task and clear commands. The vulnerability is rooted in improper synchronization between the error handling thread and the ISR, causing unsafe access to freed or NULL pointers. This issue affects specific Linux kernel versions containing the vulnerable MediaTek UFS driver code. Although no known exploits are reported in the wild, the vulnerability can be triggered by crafted I/O operations targeting the UFS device, potentially leading to denial of service (DoS) conditions due to kernel crashes. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can severely impact system availability and stability. The fix involves correcting the race condition by ensuring proper synchronization and safe handling of the mq_hctx pointer during command clearing and ISR completion processing.
Potential Impact
For European organizations, the primary impact of CVE-2024-41054 is the potential for denial of service on systems running affected Linux kernel versions with MediaTek UFS storage devices. This can disrupt critical infrastructure, enterprise servers, embedded systems, and endpoint devices relying on UFS storage, leading to unexpected system crashes and downtime. Industries such as telecommunications, manufacturing, automotive, and IoT device manufacturers in Europe that utilize Linux-based embedded systems with MediaTek UFS hardware are particularly at risk. The disruption can affect service availability, operational continuity, and potentially lead to data loss if systems crash during critical write operations. While confidentiality and integrity impacts are limited, the availability impact is significant, especially in environments requiring high uptime and reliability. Additionally, recovery from kernel panics may require manual intervention, increasing operational costs and incident response efforts. The lack of known exploits reduces immediate risk, but the vulnerability's nature makes it a candidate for future exploitation attempts, especially in targeted attacks against embedded Linux devices.
Mitigation Recommendations
To mitigate CVE-2024-41054, European organizations should: 1) Apply the latest Linux kernel patches that address this race condition in the MediaTek UFS driver as soon as they become available from trusted sources or Linux distributions. 2) For embedded and IoT devices, coordinate with hardware and firmware vendors to ensure updated kernel versions or firmware that include the fix are deployed. 3) Implement robust monitoring of system logs and kernel messages to detect early signs of kernel panics or UFS-related errors. 4) Where possible, isolate critical systems using affected hardware from untrusted networks to reduce exposure to crafted I/O requests that could trigger the vulnerability. 5) Employ redundancy and failover mechanisms to maintain availability during potential crashes. 6) Conduct thorough testing of updated kernels in controlled environments before wide deployment to avoid regressions. 7) For systems where patching is delayed, consider disabling or limiting UFS device usage if feasible, or use alternative storage solutions. These steps go beyond generic advice by focusing on vendor coordination, proactive monitoring, and operational continuity planning specific to the UFS subsystem and embedded Linux environments.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2024-41054: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by the ISR. And ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace: ufshcd_try_to_abort_task: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise] Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Call trace: dump_backtrace+0xf8/0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
AI-Powered Analysis
Technical Analysis
CVE-2024-41054 is a race condition vulnerability identified in the Linux kernel's UFS (Universal Flash Storage) subsystem, specifically within the MediaTek UFS host controller driver (ufs_mediatek_mod_ise). The flaw arises due to a race between the ufshcd_clear_cmd function and the completion interrupt service routine (ISR) ufsm_mtk_mcq_intr. In this scenario, the ISR sets the mq_hctx pointer of a completed request to NULL, while concurrently, ufshcd_clear_cmd attempts to access this pointer via ufshcd_mcq_req_to_hwq, leading to a NULL pointer dereference. This race condition can cause a kernel NULL pointer dereference, resulting in a kernel panic or system crash. The backtrace provided indicates that the fault occurs during the blk_mq_unique_tag call, triggered by the error handler's attempt to abort a task and clear commands. The vulnerability is rooted in improper synchronization between the error handling thread and the ISR, causing unsafe access to freed or NULL pointers. This issue affects specific Linux kernel versions containing the vulnerable MediaTek UFS driver code. Although no known exploits are reported in the wild, the vulnerability can be triggered by crafted I/O operations targeting the UFS device, potentially leading to denial of service (DoS) conditions due to kernel crashes. The vulnerability does not appear to allow privilege escalation or arbitrary code execution directly but can severely impact system availability and stability. The fix involves correcting the race condition by ensuring proper synchronization and safe handling of the mq_hctx pointer during command clearing and ISR completion processing.
Potential Impact
For European organizations, the primary impact of CVE-2024-41054 is the potential for denial of service on systems running affected Linux kernel versions with MediaTek UFS storage devices. This can disrupt critical infrastructure, enterprise servers, embedded systems, and endpoint devices relying on UFS storage, leading to unexpected system crashes and downtime. Industries such as telecommunications, manufacturing, automotive, and IoT device manufacturers in Europe that utilize Linux-based embedded systems with MediaTek UFS hardware are particularly at risk. The disruption can affect service availability, operational continuity, and potentially lead to data loss if systems crash during critical write operations. While confidentiality and integrity impacts are limited, the availability impact is significant, especially in environments requiring high uptime and reliability. Additionally, recovery from kernel panics may require manual intervention, increasing operational costs and incident response efforts. The lack of known exploits reduces immediate risk, but the vulnerability's nature makes it a candidate for future exploitation attempts, especially in targeted attacks against embedded Linux devices.
Mitigation Recommendations
To mitigate CVE-2024-41054, European organizations should: 1) Apply the latest Linux kernel patches that address this race condition in the MediaTek UFS driver as soon as they become available from trusted sources or Linux distributions. 2) For embedded and IoT devices, coordinate with hardware and firmware vendors to ensure updated kernel versions or firmware that include the fix are deployed. 3) Implement robust monitoring of system logs and kernel messages to detect early signs of kernel panics or UFS-related errors. 4) Where possible, isolate critical systems using affected hardware from untrusted networks to reduce exposure to crafted I/O requests that could trigger the vulnerability. 5) Employ redundancy and failover mechanisms to maintain availability during potential crashes. 6) Conduct thorough testing of updated kernels in controlled environments before wide deployment to avoid regressions. 7) For systems where patching is delayed, consider disabling or limiting UFS device usage if feasible, or use alternative storage solutions. These steps go beyond generic advice by focusing on vendor coordination, proactive monitoring, and operational continuity planning specific to the UFS subsystem and embedded Linux environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.627Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1788
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:56:48 AM
Last updated: 8/11/2025, 9:40:19 PM
Views: 14
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.