cve/published/2024/CVE-2024-40912.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40912: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

 The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
 synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
 softirq context. However using only spin_lock() to get sta->ps_lock in
 ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
 on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
 take this same lock ending in deadlock. Below is an example of rcu stall
 that arises in such situation.

  rcu: INFO: rcu_sched self-detected stall on CPU
  rcu:    2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
  rcu:    (t=42586894 jiffies g=2057 q=362405 ncpus=4)
  CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G        W          6.4.0-02158-g1b062f552873 #742
  Hardware name: RPT (r1) (DT)
  pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : queued_spin_lock_slowpath+0x58/0x2d0
  lr : invoke_tx_handlers_early+0x5b4/0x5c0
  sp : ffff00001ef64660
  x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
  x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
  x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
  x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
  x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
  x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
  x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
  x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
  x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
  x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
  Call trace:
   queued_spin_lock_slowpath+0x58/0x2d0
   ieee80211_tx+0x80/0x12c
   ieee80211_tx_pending+0x110/0x278
   tasklet_action_common.constprop.0+0x10c/0x144
   tasklet_action+0x20/0x28
   _stext+0x11c/0x284
   ____do_softirq+0xc/0x14
   call_on_irq_stack+0x24/0x34
   do_softirq_own_stack+0x18/0x20
   do_softirq+0x74/0x7c
   __local_bh_enable_ip+0xa0/0xa4
   _ieee80211_wake_txqs+0x3b0/0x4b8
   __ieee80211_wake_queue+0x12c/0x168
   ieee80211_add_pending_skbs+0xec/0x138
   ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
   ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
   ieee80211_mps_sta_status_update+0x18/0x24
   sta_apply_parameters+0x3bc/0x4c0
   ieee80211_change_station+0x1b8/0x2dc
   nl80211_set_station+0x444/0x49c
   genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
   genl_rcv_msg+0x1b0/0x244
   netlink_rcv_skb+0x38/0x10c
   genl_rcv+0x34/0x48
   netlink_unicast+0x254/0x2bc
   netlink_sendmsg+0x190/0x3b4
   ____sys_sendmsg+0x1e8/0x218
   ___sys_sendmsg+0x68/0x8c
   __sys_sendmsg+0x44/0x84
   __arm64_sys_sendmsg+0x20/0x28
   do_el0_svc+0x6c/0xe8
   el0_svc+0x14/0x48
   el0t_64_sync_handler+0xb0/0xb4
   el0t_64_sync+0x14c/0x150

 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
 on the same CPU that is holding the lock.

 The Linux kernel CVE team has assigned CVE-2024-40912 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 4.19.317 with commit e51637e0c66a6f72d134d9f95daa47ea62b43c7e
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.4.279 with commit 28ba44d680a30c51cf485a2f5a3b680e66ed3932
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.10.221 with commit e7e916d693dcb5a297f40312600a82475f2e63bc
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.15.162 with commit d90bdff79f8e40adf889b5408bfcf521528b169f
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.1.95 with commit 9c49b58b9a2bed707e7638576e54c4bccd97b9eb
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.6.35 with commit 456bbb8a31e425177dc0e8d4f98728a560c20e81
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.9.6 with commit 47d176755d5c0baf284eff039560f8c1ba0ea485
 	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.10 with commit 44c06bbde6443de206b30f513100b5670b23fc5e
 	Issue introduced in 3.2.56 with commit ad64b463d919a18be70b281efb135231169caf4a
 	Issue introduced in 3.4.84 with commit 46a5a5493360f995b834eb3b828eb59da4604509
 	Issue introduced in 3.10.34 with commit a7ee1a84a81555b19ec3d02f104bfd70cf0b668a
 	Issue introduced in 3.12.15 with commit 58d4310586466840dab77e56e53f4508853a5268
 	Issue introduced in 3.13.7 with commit fcb6d3c79824d350893edfa7b50d6ba1f670c4ec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40912
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/sta_info.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e
 	https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932
 	https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc
 	https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f
 	https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb
 	https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81
 	https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485
 	https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40912: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

	The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
	synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
	softirq context. However using only spin_lock() to get sta->ps_lock in
	ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
	on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
	take this same lock ending in deadlock. Below is an example of rcu stall
	that arises in such situation.

	rcu: INFO: rcu_sched self-detected stall on CPU
	rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
	rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
	CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
	Hardware name: RPT (r1) (DT)
	pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : queued_spin_lock_slowpath+0x58/0x2d0
	lr : invoke_tx_handlers_early+0x5b4/0x5c0
	sp : ffff00001ef64660
	x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
	x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
	x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
	x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
	x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
	x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
	x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
	x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
	x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
	x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
	Call trace:
	queued_spin_lock_slowpath+0x58/0x2d0
	ieee80211_tx+0x80/0x12c
	ieee80211_tx_pending+0x110/0x278
	tasklet_action_common.constprop.0+0x10c/0x144
	tasklet_action+0x20/0x28
	_stext+0x11c/0x284
	____do_softirq+0xc/0x14
	call_on_irq_stack+0x24/0x34
	do_softirq_own_stack+0x18/0x20
	do_softirq+0x74/0x7c
	__local_bh_enable_ip+0xa0/0xa4
	_ieee80211_wake_txqs+0x3b0/0x4b8
	__ieee80211_wake_queue+0x12c/0x168
	ieee80211_add_pending_skbs+0xec/0x138
	ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
	ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
	ieee80211_mps_sta_status_update+0x18/0x24
	sta_apply_parameters+0x3bc/0x4c0
	ieee80211_change_station+0x1b8/0x2dc
	nl80211_set_station+0x444/0x49c
	genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
	genl_rcv_msg+0x1b0/0x244
	netlink_rcv_skb+0x38/0x10c
	genl_rcv+0x34/0x48
	netlink_unicast+0x254/0x2bc
	netlink_sendmsg+0x190/0x3b4
	____sys_sendmsg+0x1e8/0x218
	___sys_sendmsg+0x68/0x8c
	__sys_sendmsg+0x44/0x84
	__arm64_sys_sendmsg+0x20/0x28
	do_el0_svc+0x6c/0xe8
	el0_svc+0x14/0x48
	el0t_64_sync_handler+0xb0/0xb4
	el0t_64_sync+0x14c/0x150

	Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
	on the same CPU that is holding the lock.

	The Linux kernel CVE team has assigned CVE-2024-40912 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 4.19.317 with commit e51637e0c66a6f72d134d9f95daa47ea62b43c7e
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.4.279 with commit 28ba44d680a30c51cf485a2f5a3b680e66ed3932
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.10.221 with commit e7e916d693dcb5a297f40312600a82475f2e63bc
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 5.15.162 with commit d90bdff79f8e40adf889b5408bfcf521528b169f
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.1.95 with commit 9c49b58b9a2bed707e7638576e54c4bccd97b9eb
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.6.35 with commit 456bbb8a31e425177dc0e8d4f98728a560c20e81
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.9.6 with commit 47d176755d5c0baf284eff039560f8c1ba0ea485
	Issue introduced in 3.14 with commit 1d147bfa64293b2723c4fec50922168658e613ba and fixed in 6.10 with commit 44c06bbde6443de206b30f513100b5670b23fc5e
	Issue introduced in 3.2.56 with commit ad64b463d919a18be70b281efb135231169caf4a
	Issue introduced in 3.4.84 with commit 46a5a5493360f995b834eb3b828eb59da4604509
	Issue introduced in 3.10.34 with commit a7ee1a84a81555b19ec3d02f104bfd70cf0b668a
	Issue introduced in 3.12.15 with commit 58d4310586466840dab77e56e53f4508853a5268
	Issue introduced in 3.13.7 with commit fcb6d3c79824d350893edfa7b50d6ba1f670c4ec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40912
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/sta_info.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e
	https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932
	https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc
	https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f
	https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb
	https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81
	https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485
	https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e