Linux Kernel QLogic QED Driver Thread Scheduling Delay Vulnerability

A vulnerability in the Linux kernel QLogic QED driver allows for thread scheduling delays. The issue arises because the function 'qed_mcp_cmd_and_union()' can block the current thread for over 5 seconds. This vulnerability is present in the Linux kernel stable tree and affects several versions. The root cause is the default behavior of 'qed_mcp_cmd_and_union()', which introduces a delay in a loop that can iterate 500,000 times. The vulnerability can be exploited through the 'ethtool' command, which calls 'qed_mcp_trace_dump()'.

Impact

Exploitation of this vulnerability leads to significant thread scheduling delays, causing the affected thread to be unresponsive for an extended period. In production environments, such delays have been observed to exceed 700 milliseconds, with one instance recorded at 744 milliseconds.

Reproduction

The vulnerability can be reproduced by invoking the 'ethtool' command, which triggers the 'qed_mcp_trace_dump()' function. This function, in turn, calls 'qed_mcp_cmd_and_union()', creating a delay that can block the thread for over 5 seconds. The issue can be observed by monitoring thread scheduling, which will reveal a lack of rescheduling despite the thread needing to be processed.

Remediation

The vulnerability has been addressed in a patch that allows the 'qed_mcp_trace_dump()' function to sleep, preventing the thread scheduling delays. This patch is available in the Linux kernel stable tree.