{"api_version":"1","generated_at":"2026-05-13T16:05:59+00:00","cve":"CVE-2024-26935","urls":{"html":"https://cve.report/CVE-2024-26935","api":"https://cve.report/api/cve/CVE-2024-26935.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-26935","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-26935"},"summary":{"title":"scsi: core: Fix unremoved procfs host directory regression","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-05-01 06:15:08","updated_at":"2026-05-12 12:16:27"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889","name":"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee","name":"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c","name":"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320","name":"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84","name":"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac","name":"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7","name":"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1","name":"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-26935","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26935","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 88c3d3bb6469cea929ac68fd326bdcbefcdfdd83 0053f15d50d50c9312d8ab9c11e2e405812dfcac git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 68c665bb185037e7eb66fb792c61da9d7151e99c 5c2386ba80e779a92ec3bb64ccadbedd88f779b1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2a764d55e938743efa7c2cba7305633bcf227f09 cea234bb214b17d004dfdccce4491e6ff57c96ee git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e0ae8667fcdd99d1756922e1140cac75f5fa279 3678cf67ff7136db1dd3bf63c361650db5d92889 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f d4c34782b6d7b1e68d18d9549451b19433bd4c6c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f e293c773c13b830cdc251f155df2254981abc320 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected be03df3d4bfe7e8866d4aa43d62e648ffe884f5f f23a4d6e07570826fe95023ca1aa96a011fa9f84 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.3","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.274 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.215 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.154 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.84 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.24 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7.12 6.7.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.3 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"26935","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-26935","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-06-21T14:41:52.902192Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-21T14:42:04.057Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-02T00:21:05.717Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:50:44.058Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/scsi/hosts.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"0053f15d50d50c9312d8ab9c11e2e405812dfcac","status":"affected","version":"88c3d3bb6469cea929ac68fd326bdcbefcdfdd83","versionType":"git"},{"lessThan":"5c2386ba80e779a92ec3bb64ccadbedd88f779b1","status":"affected","version":"68c665bb185037e7eb66fb792c61da9d7151e99c","versionType":"git"},{"lessThan":"cea234bb214b17d004dfdccce4491e6ff57c96ee","status":"affected","version":"2a764d55e938743efa7c2cba7305633bcf227f09","versionType":"git"},{"lessThan":"3678cf67ff7136db1dd3bf63c361650db5d92889","status":"affected","version":"7e0ae8667fcdd99d1756922e1140cac75f5fa279","versionType":"git"},{"lessThan":"d4c34782b6d7b1e68d18d9549451b19433bd4c6c","status":"affected","version":"be03df3d4bfe7e8866d4aa43d62e648ffe884f5f","versionType":"git"},{"lessThan":"e293c773c13b830cdc251f155df2254981abc320","status":"affected","version":"be03df3d4bfe7e8866d4aa43d62e648ffe884f5f","versionType":"git"},{"lessThan":"f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7","status":"affected","version":"be03df3d4bfe7e8866d4aa43d62e648ffe884f5f","versionType":"git"},{"lessThan":"f23a4d6e07570826fe95023ca1aa96a011fa9f84","status":"affected","version":"be03df3d4bfe7e8866d4aa43d62e648ffe884f5f","versionType":"git"},{"status":"affected","version":"73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/scsi/hosts.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.3"},{"lessThan":"6.3","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.274","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.215","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.154","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.84","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.24","versionType":"semver"},{"lessThanOrEqual":"6.7.*","status":"unaffected","version":"6.7.12","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.274","versionStartIncluding":"5.4.238","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.215","versionStartIncluding":"5.10.176","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.154","versionStartIncluding":"5.15.104","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.84","versionStartIncluding":"6.1.21","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.24","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.7.12","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.3","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"6.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:07:13.385Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac"},{"url":"https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1"},{"url":"https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee"},{"url":"https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889"},{"url":"https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c"},{"url":"https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320"},{"url":"https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7"},{"url":"https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84"}],"title":"scsi: core: Fix unremoved procfs host directory regression","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-26935","datePublished":"2024-05-01T05:17:31.445Z","dateReserved":"2024-02-19T14:20:24.196Z","dateUpdated":"2026-05-12T11:50:44.058Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-01 06:15:08","lastModifiedDate":"2026-05-12 12:16:27","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.238","versionEndExcluding":"5.4.274","matchCriteriaId":"BF3B8422-936F-4A18-84B2-64EA737CDEAF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.176","versionEndExcluding":"5.10.215","matchCriteriaId":"916DA275-F436-4EBF-A77A-DAFC987444CB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.104","versionEndExcluding":"5.15.154","matchCriteriaId":"184AE1D2-F923-4E3C-A46A-B0747F0CAB35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.21","versionEndExcluding":"6.1.84","matchCriteriaId":"1B5C250F-C8F2-4845-9D82-345AEC8F5A26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.8","versionEndExcluding":"6.3","matchCriteriaId":"965D00B8-87E5-460E-A89A-5F5DF119D845"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3.1","versionEndExcluding":"6.6.24","matchCriteriaId":"160B1C43-FE8E-4968-997F-93D3DEDBC39C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.12","matchCriteriaId":"6BE9771A-BAFD-4624-95F9-58D536540C53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3","matchCriteriaId":"4C59BBC3-6495-4A77-9C82-55EC7CDF5E02"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:-:*:*:*:*:*:*","matchCriteriaId":"21D6F467-B848-453E-B1A4-BEF940E413A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*","matchCriteriaId":"3583026A-27EC-4A4C-850A-83F2AF970673"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*","matchCriteriaId":"DC271202-7570-4505-89A4-D602D47BFD00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*","matchCriteriaId":"D413BB6D-4F74-4C7D-9163-47786619EF53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc6:*:*:*:*:*:*","matchCriteriaId":"F4D613FB-9976-4989-8C4A-567773373CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc7:*:*:*:*:*:*","matchCriteriaId":"B1240A34-749A-49F5-B8DD-C09441AD2228"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*","matchCriteriaId":"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"26935","Ordinal":"1","Title":"scsi: core: Fix unremoved procfs host directory regression","CVE":"CVE-2024-26935","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"26935","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.","Type":"Description","Title":"scsi: core: Fix unremoved procfs host directory regression"}]}}}