CVE-2024-40912

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()<br /> <br /> The ieee80211_sta_ps_deliver_wakeup() function takes sta-&gt;ps_lock to<br /> synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from<br /> softirq context. However using only spin_lock() to get sta-&gt;ps_lock in<br /> ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute<br /> on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to<br /> take this same lock ending in deadlock. Below is an example of rcu stall<br /> that arises in such situation.<br /> <br /> rcu: INFO: rcu_sched self-detected stall on CPU<br /> rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996<br /> rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)<br /> CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742<br /> Hardware name: RPT (r1) (DT)<br /> pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : queued_spin_lock_slowpath+0x58/0x2d0<br /> lr : invoke_tx_handlers_early+0x5b4/0x5c0<br /> sp : ffff00001ef64660<br /> x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8<br /> x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000<br /> x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000<br /> x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000<br /> x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80<br /> x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da<br /> x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440<br /> x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880<br /> x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8<br /> Call trace:<br /> queued_spin_lock_slowpath+0x58/0x2d0<br /> ieee80211_tx+0x80/0x12c<br /> ieee80211_tx_pending+0x110/0x278<br /> tasklet_action_common.constprop.0+0x10c/0x144<br /> tasklet_action+0x20/0x28<br /> _stext+0x11c/0x284<br /> ____do_softirq+0xc/0x14<br /> call_on_irq_stack+0x24/0x34<br /> do_softirq_own_stack+0x18/0x20<br /> do_softirq+0x74/0x7c<br /> __local_bh_enable_ip+0xa0/0xa4<br /> _ieee80211_wake_txqs+0x3b0/0x4b8<br /> __ieee80211_wake_queue+0x12c/0x168<br /> ieee80211_add_pending_skbs+0xec/0x138<br /> ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480<br /> ieee80211_mps_sta_status_update.part.0+0xd8/0x11c<br /> ieee80211_mps_sta_status_update+0x18/0x24<br /> sta_apply_parameters+0x3bc/0x4c0<br /> ieee80211_change_station+0x1b8/0x2dc<br /> nl80211_set_station+0x444/0x49c<br /> genl_family_rcv_msg_doit.isra.0+0xa4/0xfc<br /> genl_rcv_msg+0x1b0/0x244<br /> netlink_rcv_skb+0x38/0x10c<br /> genl_rcv+0x34/0x48<br /> netlink_unicast+0x254/0x2bc<br /> netlink_sendmsg+0x190/0x3b4<br /> ____sys_sendmsg+0x1e8/0x218<br /> ___sys_sendmsg+0x68/0x8c<br /> __sys_sendmsg+0x44/0x84<br /> __arm64_sys_sendmsg+0x20/0x28<br /> do_el0_svc+0x6c/0xe8<br /> el0_svc+0x14/0x48<br /> el0t_64_sync_handler+0xb0/0xb4<br /> el0t_64_sync+0x14c/0x150<br /> <br /> Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise<br /> on the same CPU that is holding the lock.