Description
In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Reinstate disabling of BHs around IRQ handler

If the driver executes ks8851_irq() AND a TX packet has been sent, then
the driver enables TX queue via netif_wake_queue() which schedules TX
softirq to queue packets for this device.

If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
is called with BH enabled, then local_bh_enable() at the end of
netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
which may ultimately call the .xmit callback ks8851_start_xmit_par().
The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
.lock spinlock, which is already locked by ks8851_irq() from which
ks8851_start_xmit_par() was called. This leads to a deadlock, which
is reported by the kernel, including a trace listed below.

If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
can also be triggered without received packet in the RX FIFO. The
pending softirqs will be processed on return from
spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
deadlock as well.

Fix the problem by disabling BH around critical sections, including the
IRQ handler, thus preventing the net_tx_action() softirq from triggering
during these critical sections. The net_tx_action() softirq is triggered
once BH are re-enabled and at the end of the IRQ handler, once all the
other IRQ handler actions have been completed.

__schedule from schedule_rtlock+0x1c/0x34
schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c
sch_direct_xmit from __qdisc_run+0x1f8/0x4ec
__qdisc_run from qdisc_run+0x1c/0x28
qdisc_run from net_tx_action+0x1f0/0x268
net_tx_action from handle_softirqs+0x1a4/0x270
handle_softirqs from __local_bh_enable_ip+0xcc/0xe0
__local_bh_enable_ip from __alloc_skb+0xd8/0x128
__alloc_skb from __netdev_alloc_skb+0x3c/0x19c
__netdev_alloc_skb from ks8851_irq+0x388/0x4d4
ks8851_irq from irq_thread_fn+0x24/0x64
irq_thread_fn from irq_thread+0x178/0x28c
irq_thread from kthread+0x12c/0x138
kthread from ret_from_fork+0x14/0x28
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ks8851 network driver contains a deadlock condition that arises when its interrupt handler re‑enables bottom halves while holding a spinlock and a TX queue has been awakened; this causes a pending softirq to attempt to acquire the same lock and trigger a deadlock, leading to a kernel lock‑up. The vulnerability is a result of improper disabling of bottom halves (BH) around critical sections in the ISR and related TX paths, as captured by the CWE identifier 821. The kernel failure manifests as a denial of all network services on the affected system.

Affected Systems

All Linux kernel builds that include the ks8851 driver are affected, regardless of whether the CONFIG_PREEMPT_RT option is enabled. No specific kernel version is listed, so any build that compiles this driver should be considered vulnerable.

Risk and Exploitability

The CVSS base score is 7.5, the EPSS probability is below 1% and the vulnerability is not listed in the CISA KEV catalog. The deadlock can be triggered when a TX packet is queued and a received packet is processed concurrently, leading to a kernel lock‑up that manifests as a denial of network services. The description does not specify whether the attacker requires local or remote access or any particular privilege level, but achieving the fault would involve delivering traffic that exercises both the TX and RX paths of the ks8851 driver. Because the EPSS low probability and lack of known exploitation, the immediate risk is limited, yet a local system with active ks8851 traffic could be affected if the unpatched driver is in use.

Generated by OpenCVE AI on May 30, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit restoring the disabling of bottom halves around the IRQ handler (commit 21f1707a8e978558dcb11b053855521e32ac0eec)
  • If an upgrade is not immediately available, disable or unload the ks8851 network interface to prevent the driver from operating until the patch can be applied
  • Apply the upstream patch manually by editing the driver source code to surround the IRQ handler and critical sections with disable_bh()/enable_bh()

Generated by OpenCVE AI on May 30, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-87

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-87

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28
Title net: ks8851: Reinstate disabling of BHs around IRQ handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:49:15.423Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:22.057

Modified: 2026-06-16T17:37:42.953

Link: CVE-2026-46031

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46031 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T15:30:26Z

Weaknesses