scsi: core: Fix unremoved procfs host directory regression

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2024-26935
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2024-05-01 06:15:08 UTC
Updated2026-05-12 12:16:27 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 88c3d3bb6469cea929ac68fd326bdcbefcdfdd83 0053f15d50d50c9312d8ab9c11e2e405812dfcac git Not specified
CNA Linux Linux affected 68c665bb185037e7eb66fb792c61da9d7151e99c 5c2386ba80e779a92ec3bb64ccadbedd88f779b1 git Not specified
CNA Linux Linux affected 2a764d55e938743efa7c2cba7305633bcf227f09 cea234bb214b17d004dfdccce4491e6ff57c96ee git Not specified
CNA Linux Linux affected 7e0ae8667fcdd99d1756922e1140cac75f5fa279 3678cf67ff7136db1dd3bf63c361650db5d92889 git Not specified
CNA Linux Linux affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f d4c34782b6d7b1e68d18d9549451b19433bd4c6c git Not specified
CNA Linux Linux affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f e293c773c13b830cdc251f155df2254981abc320 git Not specified
CNA Linux Linux affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7 git Not specified
CNA Linux Linux affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f f23a4d6e07570826fe95023ca1aa96a011fa9f84 git Not specified
CNA Linux Linux affected 73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51 git Not specified
CNA Linux Linux affected 6.3 Not specified
CNA Linux Linux unaffected 6.3 semver Not specified
CNA Linux Linux unaffected 5.4.274 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.215 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.154 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.84 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.24 6.6.* semver Not specified
CNA Linux Linux unaffected 6.7.12 6.7.* semver Not specified
CNA Linux Linux unaffected 6.8.3 6.8.* semver Not specified
CNA Linux Linux unaffected 6.9 * original_commit_for_fix Not specified
ADP Siemens SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem affected * custom Not specified

References

ReferenceSourceLinkTags
lists.debian.org/debian-lts-announce/2024/06/msg00017.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Third Party Advisory
git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1 af854a3a-2127-422b-91ae-364da2661108 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report