CVE-2026-46031

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ks8851: Reinstate disabling of BHs around IRQ handler<br /> <br /> If the driver executes ks8851_irq() AND a TX packet has been sent, then<br /> the driver enables TX queue via netif_wake_queue() which schedules TX<br /> softirq to queue packets for this device.<br /> <br /> If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by<br /> the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to<br /> allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()<br /> is called with BH enabled, then local_bh_enable() at the end of<br /> netdev_alloc_skb_ip_align() will trigger the pending softirq processing,<br /> which may ultimately call the .xmit callback ks8851_start_xmit_par().<br /> The ks8851_start_xmit_par() will try to lock struct ks8851_net_par<br /> .lock spinlock, which is already locked by ks8851_irq() from which<br /> ks8851_start_xmit_par() was called. This leads to a deadlock, which<br /> is reported by the kernel, including a trace listed below.<br /> <br /> If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0<br /> ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock<br /> can also be triggered without received packet in the RX FIFO. The<br /> pending softirqs will be processed on return from<br /> spin_unlock_bh(&amp;ks-&gt;statelock) in ks8851_irq(), which triggers the<br /> deadlock as well.<br /> <br /> Fix the problem by disabling BH around critical sections, including the<br /> IRQ handler, thus preventing the net_tx_action() softirq from triggering<br /> during these critical sections. The net_tx_action() softirq is triggered<br /> once BH are re-enabled and at the end of the IRQ handler, once all the<br /> other IRQ handler actions have been completed.<br /> <br /> __schedule from schedule_rtlock+0x1c/0x34<br /> schedule_rtlock from rtlock_slowlock_locked+0x548/0x904<br /> rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c<br /> rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8<br /> ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44<br /> netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188<br /> dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c<br /> sch_direct_xmit from __qdisc_run+0x1f8/0x4ec<br /> __qdisc_run from qdisc_run+0x1c/0x28<br /> qdisc_run from net_tx_action+0x1f0/0x268<br /> net_tx_action from handle_softirqs+0x1a4/0x270<br /> handle_softirqs from __local_bh_enable_ip+0xcc/0xe0<br /> __local_bh_enable_ip from __alloc_skb+0xd8/0x128<br /> __alloc_skb from __netdev_alloc_skb+0x3c/0x19c<br /> __netdev_alloc_skb from ks8851_irq+0x388/0x4d4<br /> ks8851_irq from irq_thread_fn+0x24/0x64<br /> irq_thread_fn from irq_thread+0x178/0x28c<br /> irq_thread from kthread+0x12c/0x138<br /> kthread from ret_from_fork+0x14/0x28

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.91 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.31 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8.10 (including) 6.9 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9.1 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*