In the Linux kernel, the following vulnerability has been resolved: net:
ks8851: Handle softirqs at the end of IRQ thread to fix hang The
ks8851_irq() thread may call ks8851_rx_pkts() in case there are any packets
in the MAC FIFO, which calls netif_rx(). This netif_rx() implementation is
guarded by local_bh_disable() and local_bh_enable(). The local_bh_enable()
may call do_softirq() to run softirqs in case any are pending. One of the
softirqs is net_rx_action, which ultimately reaches the driver .start_xmit
callback. If that happens, the system hangs. The entire call chain is
below: ks8851_start_xmit_par from netdev_start_xmit netdev_start_xmit from
dev_hard_start_xmit dev_hard_start_xmit from sch_direct_xmit
sch_direct_xmit from __dev_queue_xmit __dev_queue_xmit from __neigh_update
__neigh_update from neigh_update neigh_update from arp_process.constprop.0
arp_process.constprop.0 from __netif_receive_skb_one_core
__netif_receive_skb_one_core from process_backlog process_backlog from
__napi_poll.constprop.0 __napi_poll.constprop.0 from net_rx_action
net_rx_action from __do_softirq __do_softirq from call_with_stack
call_with_stack from do_softirq do_softirq from __local_bh_enable_ip
__local_bh_enable_ip from netif_rx netif_rx from ks8851_irq ks8851_irq from
irq_thread_fn irq_thread_fn from irq_thread irq_thread from kthread kthread
from ret_from_fork The hang happens because ks8851_irq() first locks a
spinlock in ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock,
…) and with that spinlock locked, calls netif_rx(). Once the execution
reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again which
attempts to claim the already locked spinlock again, and the hang happens.
Move the do_softirq() call outside of the spinlock protected section of
ks8851_irq() by disabling BHs around the entire spinlock protected section
of ks8851_irq() handler. Place local_bh_enable() outside of the spinlock
protected section, so that it can trigger do_softirq() without the
ks8851_par.c ks8851_lock_par() spinlock being held, and safely call
ks8851_start_xmit_par() without attempting to lock the already locked
spinlock. Since ks8851_irq() is protected by
local_bh_disable()/local_bh_enable() now, replace netif_rx() with
__netif_rx() which is not duplicating the
local_bh_disable()/local_bh_enable() calls.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/be0384bf599cf1eb8d337517feeb732d71f75a6f (6.9-rc4)
git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540
git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f
git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f
launchpad.net/bugs/cve/CVE-2024-35971
nvd.nist.gov/vuln/detail/CVE-2024-35971
security-tracker.debian.org/tracker/CVE-2024-35971
www.cve.org/CVERecord?id=CVE-2024-35971