Release Date: | 2024-07-12 |
In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\nrcu: INFO: rcu_sched self-detected stall on CPU\nrcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\nrcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\nCPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\nHardware name: RPT (r1) (DT)\npstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : queued_spin_lock_slowpath+0x58/0x2d0\nlr : invoke_tx_handlers_early+0x5b4/0x5c0\nsp : ffff00001ef64660\nx29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\nx26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\nx23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\nx20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\nx17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\nx14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\nx11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\nx8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\nx5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\nCall trace:\nqueued_spin_lock_slowpath+0x58/0x2d0\nieee80211_tx+0x80/0x12c\nieee80211_tx_pending+0x110/0x278\ntasklet_action_common.constprop.0+0x10c/0x144\ntasklet_action+0x20/0x28\n_stext+0x11c/0x284\n____do_softirq+0xc/0x14\ncall_on_irq_stack+0x24/0x34\ndo_softirq_own_stack+0x18/0x20\ndo_softirq+0x74/0x7c\n__local_bh_enable_ip+0xa0/0xa4\n_ieee80211_wake_txqs+0x3b0/0x4b8\n__ieee80211_wake_queue+0x12c/0x168\nieee80211_add_pending_skbs+0xec/0x138\nieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\nieee80211_mps_sta_status_update.part.0+0xd8/0x11c\nieee80211_mps_sta_status_update+0x18/0x24\nsta_apply_parameters+0x3bc/0x4c0\nieee80211_change_station+0x1b8/0x2dc\nnl80211_set_station+0x444/0x49c\ngenl_family_rcv_msg_doit.isra.0+0xa4/0xfc\ngenl_rcv_msg+0x1b0/0x244\nnetlink_rcv_skb+0x38/0x10c\ngenl_rcv+0x34/0x48\nnetlink_unicast+0x254/0x2bc\nnetlink_sendmsg+0x190/0x3b4\n____sys_sendmsg+0x1e8/0x218\n___sys_sendmsg+0x68/0x8c\n__sys_sendmsg+0x44/0x84\n__arm64_sys_sendmsg+0x20/0x28\ndo_el0_svc+0x6c/0xe8\nel0_svc+0x14/0x48\nel0t_64_sync_handler+0xb0/0xb4\nel0t_64_sync+0x14c/0x150\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.
See more information about CVE-2024-40912 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 4.7 | CVSS Vector: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | High |
Privileges Required: | Low | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12779 | 2024-10-11 |
Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 8 (kernel) | ELSA-2024-7000 | 2024-09-24 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12610 | 2024-09-10 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12612 | 2024-09-11 |
Oracle Linux version 9 (kernel) | ELSA-2024-5928 | 2024-08-28 |
Oracle Linux version 9 (kernel-uek) | ELSA-2024-12618 | 2024-09-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: