cve/published/2024/CVE-2024-35971.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35971: net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

 The ks8851_irq() thread may call ks8851_rx_pkts() in case there are
 any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()
 implementation is guarded by local_bh_disable() and local_bh_enable().
 The local_bh_enable() may call do_softirq() to run softirqs in case
 any are pending. One of the softirqs is net_rx_action, which ultimately
 reaches the driver .start_xmit callback. If that happens, the system
 hangs. The entire call chain is below:

 ks8851_start_xmit_par from netdev_start_xmit
 netdev_start_xmit from dev_hard_start_xmit
 dev_hard_start_xmit from sch_direct_xmit
 sch_direct_xmit from __dev_queue_xmit
 __dev_queue_xmit from __neigh_update
 __neigh_update from neigh_update
 neigh_update from arp_process.constprop.0
 arp_process.constprop.0 from __netif_receive_skb_one_core
 __netif_receive_skb_one_core from process_backlog
 process_backlog from __napi_poll.constprop.0
 __napi_poll.constprop.0 from net_rx_action
 net_rx_action from __do_softirq
 __do_softirq from call_with_stack
 call_with_stack from do_softirq
 do_softirq from __local_bh_enable_ip
 __local_bh_enable_ip from netif_rx
 netif_rx from ks8851_irq
 ks8851_irq from irq_thread_fn
 irq_thread_fn from irq_thread
 irq_thread from kthread
 kthread from ret_from_fork

 The hang happens because ks8851_irq() first locks a spinlock in
 ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)
 and with that spinlock locked, calls netif_rx(). Once the execution
 reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again
 which attempts to claim the already locked spinlock again, and the
 hang happens.

 Move the do_softirq() call outside of the spinlock protected section
 of ks8851_irq() by disabling BHs around the entire spinlock protected
 section of ks8851_irq() handler. Place local_bh_enable() outside of
 the spinlock protected section, so that it can trigger do_softirq()
 without the ks8851_par.c ks8851_lock_par() spinlock being held, and
 safely call ks8851_start_xmit_par() without attempting to lock the
 already locked spinlock.

 Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()
 now, replace netif_rx() with __netif_rx() which is not duplicating the
 local_bh_disable()/local_bh_enable() calls.

 The Linux kernel CVE team has assigned CVE-2024-35971 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.1.87 with commit 492337a4fbd1421b42df684ee9b34be2a2722540
 	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.6.28 with commit cba376eb036c2c20077b41d47b317d8218fe754f
 	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.8.7 with commit 49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
 	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.9 with commit be0384bf599cf1eb8d337517feeb732d71f75a6f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35971
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/micrel/ks8851_common.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540
 	https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f
 	https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
 	https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35971: net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

	The ks8851_irq() thread may call ks8851_rx_pkts() in case there are
	any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()
	implementation is guarded by local_bh_disable() and local_bh_enable().
	The local_bh_enable() may call do_softirq() to run softirqs in case
	any are pending. One of the softirqs is net_rx_action, which ultimately
	reaches the driver .start_xmit callback. If that happens, the system
	hangs. The entire call chain is below:

	ks8851_start_xmit_par from netdev_start_xmit
	netdev_start_xmit from dev_hard_start_xmit
	dev_hard_start_xmit from sch_direct_xmit
	sch_direct_xmit from __dev_queue_xmit
	__dev_queue_xmit from __neigh_update
	__neigh_update from neigh_update
	neigh_update from arp_process.constprop.0
	arp_process.constprop.0 from __netif_receive_skb_one_core
	__netif_receive_skb_one_core from process_backlog
	process_backlog from __napi_poll.constprop.0
	__napi_poll.constprop.0 from net_rx_action
	net_rx_action from __do_softirq
	__do_softirq from call_with_stack
	call_with_stack from do_softirq
	do_softirq from __local_bh_enable_ip
	__local_bh_enable_ip from netif_rx
	netif_rx from ks8851_irq
	ks8851_irq from irq_thread_fn
	irq_thread_fn from irq_thread
	irq_thread from kthread
	kthread from ret_from_fork

	The hang happens because ks8851_irq() first locks a spinlock in
	ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)
	and with that spinlock locked, calls netif_rx(). Once the execution
	reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again
	which attempts to claim the already locked spinlock again, and the
	hang happens.

	Move the do_softirq() call outside of the spinlock protected section
	of ks8851_irq() by disabling BHs around the entire spinlock protected
	section of ks8851_irq() handler. Place local_bh_enable() outside of
	the spinlock protected section, so that it can trigger do_softirq()
	without the ks8851_par.c ks8851_lock_par() spinlock being held, and
	safely call ks8851_start_xmit_par() without attempting to lock the
	already locked spinlock.

	Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()
	now, replace netif_rx() with __netif_rx() which is not duplicating the
	local_bh_disable()/local_bh_enable() calls.

	The Linux kernel CVE team has assigned CVE-2024-35971 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.1.87 with commit 492337a4fbd1421b42df684ee9b34be2a2722540
	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.6.28 with commit cba376eb036c2c20077b41d47b317d8218fe754f
	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.8.7 with commit 49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
	Issue introduced in 5.8 with commit 797047f875b5463719cc70ba213eb691d453c946 and fixed in 6.9 with commit be0384bf599cf1eb8d337517feeb732d71f75a6f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35971
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/micrel/ks8851_common.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540
	https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f
	https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
	https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f