CVE-2024-40912

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.

rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
Hardware name: RPT (r1) (DT)
pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x58/0x2d0
lr : invoke_tx_handlers_early+0x5b4/0x5c0
sp : ffff00001ef64660
x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
Call trace:
queued_spin_lock_slowpath+0x58/0x2d0
ieee80211_tx+0x80/0x12c
ieee80211_tx_pending+0x110/0x278
tasklet_action_common.constprop.0+0x10c/0x144
tasklet_action+0x20/0x28
_stext+0x11c/0x284
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
do_softirq+0x74/0x7c
__local_bh_enable_ip+0xa0/0xa4
_ieee80211_wake_txqs+0x3b0/0x4b8
__ieee80211_wake_queue+0x12c/0x168
ieee80211_add_pending_skbs+0xec/0x138
ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
ieee80211_mps_sta_status_update+0x18/0x24
sta_apply_parameters+0x3bc/0x4c0
ieee80211_change_station+0x1b8/0x2dc
nl80211_set_station+0x444/0x49c
genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
genl_rcv_msg+0x1b0/0x244
netlink_rcv_skb+0x38/0x10c
genl_rcv+0x34/0x48
netlink_unicast+0x254/0x2bc
netlink_sendmsg+0x190/0x3b4
____sys_sendmsg+0x1e8/0x218
___sys_sendmsg+0x68/0x8c
__sys_sendmsg+0x44/0x84
__arm64_sys_sendmsg+0x20/0x28
do_el0_svc+0x6c/0xe8
el0_svc+0x14/0x48
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x14c/0x150

Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.7

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-08-30 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-833: Deadlock

CAPEC

References (16)

URL	Tag	Source
https://git.kernel.org/stable/c/1d147bfa64293b2723c4fec50922168658e613ba	Vuln. Introduced
https://git.kernel.org/stable/c/ad64b463d919a18be70b281efb135231169caf4a	Vuln. Introduced
https://git.kernel.org/stable/c/46a5a5493360f995b834eb3b828eb59da4604509	Vuln. Introduced
https://git.kernel.org/stable/c/a7ee1a84a81555b19ec3d02f104bfd70cf0b668a	Vuln. Introduced
https://git.kernel.org/stable/c/58d4310586466840dab77e56e53f4508853a5268	Vuln. Introduced
https://git.kernel.org/stable/c/fcb6d3c79824d350893edfa7b50d6ba1f670c4ec	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e	2024-07-05
https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932	2024-07-05
https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc	2024-07-05
https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f	2024-07-05
https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb	2024-06-21
https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81	2024-06-21
https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485	2024-06-21
https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e	2024-05-29

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-40912	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2297496	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 4.19.317 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 4.19.317"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.2.56 Search vendor "Linux" for product "Linux Kernel" and version "3.2.56"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.4.84 Search vendor "Linux" for product "Linux Kernel" and version "3.4.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.10.34 Search vendor "Linux" for product "Linux Kernel" and version "3.10.34"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.12.15 Search vendor "Linux" for product "Linux Kernel" and version "3.12.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.13.7 Search vendor "Linux" for product "Linux Kernel" and version "3.13.7"		en		Affected