The Linux kernel development team recently addressed two critical vulnerabilities in the kernel’s handling of NVMe multipath and RDMA/siw functionality, impacting various Linux distributions. These vulnerabilities, identified as CVE-2024-53093 and CVE-2024-53094, were discovered in late October 2024 and pose significant risks to system stability and security. The first issue in the NVMe multipath functionality could lead to a deadlock situation under certain conditions, where partition scanning within the controller’s scan_work context blocked the process. The second vulnerability in the RDMA/siw (Software iWARP) driver caused warnings regarding slab page usage during send_page operations, which could result in potential instability in RDMA communications over TCP/IP.
The first issue, CVE-2024-53093, arose when partition scanning in the NVMe multipath system occurred within the scan_work context, which could cause a deadlock if a path error occurred during scanning. To address this, the kernel developers have modified the system to defer partition scanning to a different context, ensuring that the process no longer blocks scan_work. This fix effectively prevents potential system hangs, enabling smoother operation of NVMe multipath systems across affected versions.
The second vulnerability, CVE-2024-53094, impacted the RDMA/siw driver used for RDMA communication over TCP/IP. The issue manifested when running iSCSI Extensions for RDMA (iSER) over SIW, leading to warnings about slab page usage during send_page operations. The Linux development team addressed this by implementing a sendpage_ok() check in the driver, which disables the MSG_SPLICE_PAGES flag if it returns 0, preventing issues related to skb_splice_from_iter(). This fix ensures the integrity of the RDMA/siw functionality and mitigates potential communication disruptions.
Both vulnerabilities affected multiple versions of the Linux kernel, including long-term support (LTS) releases, with patches backported to the affected stable kernel versions. Users and system administrators are strongly advised to update their kernels to the latest patched versions to protect against these issues. The patches are available through standard update channels and distribution-specific package managers. Regular updates and prompt attention to kernel vulnerabilities remain essential for maintaining the security and performance of Linux-based systems.
