{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40912", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.581Z", "datePublished": "2024-07-12T12:20:50.488Z", "dateUpdated": "2024-11-05T09:32:59.350Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:32:59.350Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/sta_info.c"], "versions": [{"version": "1d147bfa6429", "lessThan": "e51637e0c66a", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "28ba44d680a3", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "e7e916d693dc", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "d90bdff79f8e", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "9c49b58b9a2b", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "456bbb8a31e4", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "47d176755d5c", "status": "affected", "versionType": "git"}, {"version": "1d147bfa6429", "lessThan": "44c06bbde644", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/sta_info.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.317", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.279", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e"}, {"url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932"}, {"url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc"}, {"url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f"}, {"url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb"}, {"url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81"}, {"url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485"}, {"url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e"}], "title": "wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.352Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:05:59.270343Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:37.046Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.352Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:05:59.270343Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:24.821Z"}}], "cna": {"title": "wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1d147bfa6429", "lessThan": "e51637e0c66a", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "28ba44d680a3", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "e7e916d693dc", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "d90bdff79f8e", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "9c49b58b9a2b", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "456bbb8a31e4", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "47d176755d5c", "versionType": "git"}, {"status": "affected", "version": "1d147bfa6429", "lessThan": "44c06bbde644", "versionType": "git"}], "programFiles": ["net/mac80211/sta_info.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.14"}, {"status": "unaffected", "version": "0", "lessThan": "3.14", "versionType": "custom"}, {"status": "unaffected", "version": "4.19.317", "versionType": "custom", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.279", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.221", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.162", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.95", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.35", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.6", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/mac80211/sta_info.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e"}, {"url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932"}, {"url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc"}, {"url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f"}, {"url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb"}, {"url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81"}, {"url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485"}, {"url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:19.559Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40912", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:37.046Z", "dateReserved": "2024-07-12T12:17:45.581Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:20:50.488Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "94AD7CE0-1AB3-4F0C-9642-209112A5ECB7", "versionEndExcluding": "4.19.317", "versionStartIncluding": "3.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "212DEE06-A450-420F-8BAA-20996395BBF4", "versionEndExcluding": "5.4.297", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "659E1520-6345-41AF-B893-A7C0647585A0", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "10A39ACC-3005-40E8-875C-98A372D1FFD5", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D435765D-2766-44F5-B319-F713A13E35CE", "versionEndExcluding": "6.1.95", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F019D15-84C0-416B-8C57-7F51B68992F0", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: mac80211: corrige el punto muerto en ieee80211_sta_ps_deliver_wakeup() La funci\u00f3n ieee80211_sta_ps_deliver_wakeup() toma sta->ps_lock para sincronizarse con ieee80211_tx_h_unicast_ps_buf() que se llama desde el contexto softirq. Sin embargo, usar solo spin_lock() para obtener sta->ps_lock en ieee80211_sta_ps_deliver_wakeup() no impide que softirq se ejecute en esta misma CPU, ejecute ieee80211_tx_h_unicast_ps_buf() e intente tomar este mismo bloqueo que termina en punto muerto. A continuaci\u00f3n se muestra un ejemplo de bloqueo de rcu que surge en tal situaci\u00f3n. rcu: INFORMACI\u00d3N: rcu_sched autodetectado bloqueo en la CPU rcu: 2-....: (42413413 marca este GP) idle=b154/1/0x40000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 santiam\u00e9n g= 2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Contaminado: GW 6.4.0-02158-g1b062f552873 #742 Nombre de hardware: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO - TCO -DIT -SSBS BTYPE=--) pc: queued_spin_lock_slowpath+0x58/0x2d0 lr: invoke_tx_handlers_early+0x5b4/0x5c0 sp: ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 : ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: 08c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 0000000000895440 x8: 000000000010533c x7: ffff00000ad8b740 x6: ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Rastreo de llamadas: pin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext +0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0 /0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update .part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_ms g_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34 /0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x 20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c /0x150 El uso de spin_lock_bh()/spin_unlock_bh() en su lugar evita que softirq se active en la misma CPU que mantiene el bloqueo."}], "id": "CVE-2024-40912", "lastModified": "2024-11-21T09:31:50.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:14.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/28ba44d680a30c51cf485a2f5a3b680e66ed3932"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/44c06bbde6443de206b30f513100b5670b23fc5e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/456bbb8a31e425177dc0e8d4f98728a560c20e81"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47d176755d5c0baf284eff039560f8c1ba0ea485"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9c49b58b9a2bed707e7638576e54c4bccd97b9eb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d90bdff79f8e40adf889b5408bfcf521528b169f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e51637e0c66a6f72d134d9f95daa47ea62b43c7e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7e916d693dcb5a297f40312600a82475f2e63bc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7001", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7000", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.22.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:5928", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.33.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-28T00:00:00Z"}, {"advisory": "RHSA-2024:5928", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.33.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-28T00:00:00Z"}], "bugzilla": {"description": "kernel: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", "id": "2297496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297496"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-833", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\nrcu: INFO: rcu_sched self-detected stall on CPU\nrcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\nrcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\nCPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\nHardware name: RPT (r1) (DT)\npstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : queued_spin_lock_slowpath+0x58/0x2d0\nlr : invoke_tx_handlers_early+0x5b4/0x5c0\nsp : ffff00001ef64660\nx29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\nx26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\nx23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\nx20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\nx17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\nx14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\nx11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\nx8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\nx5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\nCall trace:\nqueued_spin_lock_slowpath+0x58/0x2d0\nieee80211_tx+0x80/0x12c\nieee80211_tx_pending+0x110/0x278\ntasklet_action_common.constprop.0+0x10c/0x144\ntasklet_action+0x20/0x28\n_stext+0x11c/0x284\n____do_softirq+0xc/0x14\ncall_on_irq_stack+0x24/0x34\ndo_softirq_own_stack+0x18/0x20\ndo_softirq+0x74/0x7c\n__local_bh_enable_ip+0xa0/0xa4\n_ieee80211_wake_txqs+0x3b0/0x4b8\n__ieee80211_wake_queue+0x12c/0x168\nieee80211_add_pending_skbs+0xec/0x138\nieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\nieee80211_mps_sta_status_update.part.0+0xd8/0x11c\nieee80211_mps_sta_status_update+0x18/0x24\nsta_apply_parameters+0x3bc/0x4c0\nieee80211_change_station+0x1b8/0x2dc\nnl80211_set_station+0x444/0x49c\ngenl_family_rcv_msg_doit.isra.0+0xa4/0xfc\ngenl_rcv_msg+0x1b0/0x244\nnetlink_rcv_skb+0x38/0x10c\ngenl_rcv+0x34/0x48\nnetlink_unicast+0x254/0x2bc\nnetlink_sendmsg+0x190/0x3b4\n____sys_sendmsg+0x1e8/0x218\n___sys_sendmsg+0x68/0x8c\n__sys_sendmsg+0x44/0x84\n__arm64_sys_sendmsg+0x20/0x28\ndo_el0_svc+0x6c/0xe8\nel0_svc+0x14/0x48\nel0t_64_sync_handler+0xb0/0xb4\nel0t_64_sync+0x14c/0x150\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40912", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40912\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40912\nhttps://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40912-7286@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 4.19.317, kernel 5.4.279, kernel 5.10.221, kernel 5.15.162, kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc3"}