CVE-2024-27435 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix reconnection fail due to reserved tag allocation
We found a issue on production environment while using NVMe over RDMA, admin_q reconnect failed forever while remote target and network is ok. After dig into it, we found it may caused by a ABBA deadlock due to tag allocation. In my case, the tag was hold by a keep alive request waiting inside admin_q, as we quiesced admin_q while reset ctrl, so the request maked as idle and will not process before reset success. As fabric_q shares tagset with admin_q, while reconnect remote target, we need a tag for connect command, but the only one reserved tag was held by keep alive command which waiting inside admin_q. As a result, we failed to reconnect admin_q forever. In order to fix this issue, I think we should keep two reserved tags for admin queue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/23/2026
The vulnerability CVE-2024-27435 represents a critical issue within the Linux kernel's NVMe over RDMA implementation that fundamentally compromises the reliability of storage subsystems. This defect manifests as an infinite reconnection failure occurring when the NVMe controller attempts to reestablish communication with remote targets after network disruptions or controller resets. The flaw specifically impacts the administrative queue (admin_q) handling mechanism, where the kernel's tag allocation system becomes trapped in a deadlock condition that prevents normal operation. The vulnerability arises from the improper management of reserved tags during controller reset operations, creating a scenario where essential connection commands cannot acquire the necessary resources to function properly.
The technical root cause of this vulnerability stems from a classic ABBA deadlock pattern that occurs during NVMe controller reconnection sequences. When a controller reset is initiated, the administrative queue enters a quiesced state where pending requests are marked as idle and suspended until the reset operation completes. However, the keep alive request that was previously queued within the admin_q remains in this suspended state, holding onto a reserved tag that should be available for new connection commands. The fabric queue shares the same tagset as the admin queue, creating a resource contention scenario where the connection command required for reestablishing communication cannot obtain a tag because it is already occupied by the suspended keep alive request. This architectural flaw violates fundamental resource management principles and demonstrates poor handling of concurrent access patterns in high-performance storage protocols.
The operational impact of this vulnerability extends far beyond simple connectivity issues, potentially leading to complete storage subsystem failures in production environments where NVMe over RDMA is deployed. Organizations relying on NVMe over RDMA for high-speed data access and storage operations face significant risks including extended downtime, data access interruptions, and potential service degradation that can cascade across entire infrastructure components. The vulnerability particularly affects enterprise storage arrays, cloud computing environments, and high-performance computing clusters that depend on reliable NVMe over RDMA connectivity for optimal performance. The infinite reconnection loop means that even when underlying network conditions return to normal, the system remains unable to restore proper communication with storage targets, effectively rendering the storage path unusable until manual intervention or system reboot occurs.
The fix implemented for this vulnerability addresses the core resource allocation issue by ensuring that the administrative queue maintains sufficient reserved tags to handle critical reconnection operations. Specifically, the solution involves reserving two tags for the admin queue instead of the previous single reservation, allowing the connection command to proceed even when a keep alive request is suspended in the queue. This approach aligns with established best practices for resource management in concurrent systems and follows the principles outlined in CWE-362, which addresses race conditions and concurrent access issues. The mitigation strategy also reflects ATT&CK technique T1486, which involves data encryption and storage manipulation, by ensuring proper resource availability during critical system recovery operations. Organizations should implement this fix immediately to prevent potential storage outages and maintain the reliability of their NVMe over RDMA implementations, particularly in mission-critical environments where storage availability is paramount for business continuity.