{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", "id" : "2297496", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297496" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-833", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\nrcu: INFO: rcu_sched self-detected stall on CPU\nrcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\nrcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\nCPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\nHardware name: RPT (r1) (DT)\npstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : queued_spin_lock_slowpath+0x58/0x2d0\nlr : invoke_tx_handlers_early+0x5b4/0x5c0\nsp : ffff00001ef64660\nx29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\nx26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\nx23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\nx20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\nx17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\nx14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\nx11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\nx8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\nx5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\nCall trace:\nqueued_spin_lock_slowpath+0x58/0x2d0\nieee80211_tx+0x80/0x12c\nieee80211_tx_pending+0x110/0x278\ntasklet_action_common.constprop.0+0x10c/0x144\ntasklet_action+0x20/0x28\n_stext+0x11c/0x284\n____do_softirq+0xc/0x14\ncall_on_irq_stack+0x24/0x34\ndo_softirq_own_stack+0x18/0x20\ndo_softirq+0x74/0x7c\n__local_bh_enable_ip+0xa0/0xa4\n_ieee80211_wake_txqs+0x3b0/0x4b8\n__ieee80211_wake_queue+0x12c/0x168\nieee80211_add_pending_skbs+0xec/0x138\nieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\nieee80211_mps_sta_status_update.part.0+0xd8/0x11c\nieee80211_mps_sta_status_update+0x18/0x24\nsta_apply_parameters+0x3bc/0x4c0\nieee80211_change_station+0x1b8/0x2dc\nnl80211_set_station+0x444/0x49c\ngenl_family_rcv_msg_doit.isra.0+0xa4/0xfc\ngenl_rcv_msg+0x1b0/0x244\nnetlink_rcv_skb+0x38/0x10c\ngenl_rcv+0x34/0x48\nnetlink_unicast+0x254/0x2bc\nnetlink_sendmsg+0x190/0x3b4\n____sys_sendmsg+0x1e8/0x218\n___sys_sendmsg+0x68/0x8c\n__sys_sendmsg+0x44/0x84\n__arm64_sys_sendmsg+0x20/0x28\ndo_el0_svc+0x6c/0xe8\nel0_svc+0x14/0x48\nel0t_64_sync_handler+0xb0/0xb4\nel0t_64_sync+0x14c/0x150\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", "A vulnerability was found in the Linux kernel's mac80211 component within the ieee80211_sta_ps_deliver_wakeup() function, where improper locking of the sta->ps_lock can lead to a deadlock condition, which occurs because the function uses a spin lock without preventing softirq execution on the same CPU, causing potential stalls." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7001", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7000", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.22.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40912\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40912\nhttps://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40912-7286@gregkh/T" ], "name" : "CVE-2024-40912", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }