CVE-2024-40912

The ieee80211stapsdeliverwakeup() function takes sta->pslock to synchronizes with ieee80211txhunicastpsbuf() which is called from softirq context. However using only spinlock() to get sta->pslock in ieee80211stapsdeliverwakeup() does not prevent softirq to execute on this same CPU, to run ieee80211txhunicastps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation.

rcu: INFO: rcusched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpasupplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queuedspinlockslowpath+0x58/0x2d0 lr : invoketxhandlersearly+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queuedspinlockslowpath+0x58/0x2d0 ieee80211tx+0x80/0x12c ieee80211txpending+0x110/0x278 taskletactioncommon.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____dosoftirq+0xc/0x14 callonirqstack+0x24/0x34 dosoftirqownstack+0x18/0x20 dosoftirq+0x74/0x7c __localbhenableip+0xa0/0xa4 ieee80211waketxqs+0x3b0/0x4b8 __ieee80211wakequeue+0x12c/0x168 ieee80211addpendingskbs+0xec/0x138 ieee80211stapsdeliverwakeup+0x2a4/0x480 ieee80211mpsstastatusupdate.part.0+0xd8/0x11c ieee80211mpsstastatusupdate+0x18/0x24 staapplyparameters+0x3bc/0x4c0 ieee80211changestation+0x1b8/0x2dc nl80211setstation+0x444/0x49c genlfamilyrcvmsgdoit.isra.0+0xa4/0xfc genlrcvmsg+0x1b0/0x244 netlinkrcvskb+0x38/0x10c genlrcv+0x34/0x48 netlinkunicast+0x254/0x2bc netlinksendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64syssendmsg+0x20/0x28 doel0svc+0x6c/0xe8 el0svc+0x14/0x48 el0t64synchandler+0xb0/0xb4 el0t64sync+0x14c/0x150

Using spinlockbh()/spinunlockbh() instead prevents softirq to raise on the same CPU that is holding the lock.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40912.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1d147bfa64293b2723c4fec50922168658e613ba

Fixed

e51637e0c66a6f72d134d9f95daa47ea62b43c7e

Fixed

28ba44d680a30c51cf485a2f5a3b680e66ed3932

Fixed

e7e916d693dcb5a297f40312600a82475f2e63bc

Fixed

d90bdff79f8e40adf889b5408bfcf521528b169f

Fixed

9c49b58b9a2bed707e7638576e54c4bccd97b9eb

Fixed

456bbb8a31e425177dc0e8d4f98728a560c20e81

Fixed

47d176755d5c0baf284eff039560f8c1ba0ea485

Fixed

44c06bbde6443de206b30f513100b5670b23fc5e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

ad64b463d919a18be70b281efb135231169caf4a

Last affected

46a5a5493360f995b834eb3b828eb59da4604509

Last affected

a7ee1a84a81555b19ec3d02f104bfd70cf0b668a

Last affected

58d4310586466840dab77e56e53f4508853a5268

Last affected

fcb6d3c79824d350893edfa7b50d6ba1f670c4ec

Affected versions

v2.*

v2.6.12-rc2

v2.6.12-rc3

v2.6.12-rc4

v2.6.13

v2.6.13-rc1

v2.6.13-rc2

v2.6.13-rc3

v2.6.13-rc4

v2.6.13-rc5

v2.6.13-rc6

v2.6.13-rc7

v2.6.14-rc1

v2.6.14-rc2

v2.6.14-rc3

v2.6.15-rc1

v2.6.15-rc2

v2.6.15-rc4

v2.6.15-rc5

v2.6.15-rc7

v2.6.16

v2.6.16-rc1

v2.6.16-rc2

v2.6.16-rc3

v2.6.16-rc4

v2.6.16-rc5

v2.6.16-rc6

v2.6.17

v2.6.17-rc1

v2.6.17-rc2

v2.6.17-rc3

v2.6.17-rc4

v2.6.17-rc5

v2.6.17-rc6

v2.6.18

v2.6.18-rc1

v2.6.18-rc2

v2.6.18-rc3

v2.6.18-rc5

v2.6.18-rc6

v2.6.19-rc1

v2.6.19-rc2

v2.6.20-rc1

v2.6.20-rc2

v2.6.20-rc3

v2.6.20-rc4

v2.6.20-rc5

v2.6.20-rc6

v2.6.20-rc7

v2.6.21

v2.6.21-rc1

v2.6.21-rc2

v2.6.21-rc3

v2.6.21-rc4

v2.6.21-rc5

v2.6.21-rc6

v2.6.21-rc7

v2.6.22

v2.6.22-rc1

v2.6.22-rc2

v2.6.22-rc3

v2.6.22-rc4

v2.6.22-rc5

v2.6.22-rc6

v2.6.22-rc7

v2.6.23

v2.6.23-rc1

v2.6.23-rc2

v2.6.23-rc3

v2.6.23-rc4

v2.6.23-rc5

v2.6.23-rc6

v2.6.23-rc7

v2.6.23-rc8

v2.6.23-rc9

v2.6.24

v2.6.24-rc1

v2.6.24-rc2

v2.6.24-rc3

v2.6.24-rc4

v2.6.24-rc5

v2.6.24-rc6

v2.6.24-rc7

v2.6.24-rc8

v2.6.25

v2.6.25-rc1

v2.6.25-rc2

v2.6.25-rc3

v2.6.25-rc4

v2.6.25-rc5

v2.6.25-rc6

v2.6.25-rc7

v2.6.25-rc8

v2.6.25-rc9

v2.6.26

v2.6.26-rc1

v2.6.26-rc2

v2.6.26-rc3

v2.6.26-rc4

v2.6.26-rc5

v2.6.26-rc6

v2.6.26-rc7

v2.6.26-rc8

v2.6.26-rc9

v2.6.27

v2.6.27-rc1

v2.6.27-rc2

v2.6.27-rc3

v2.6.27-rc4

v2.6.27-rc5

v2.6.27-rc6

v2.6.27-rc7

v2.6.27-rc8

v2.6.27-rc9

v2.6.28

v2.6.28-rc1

v2.6.28-rc2

v2.6.28-rc3

v2.6.28-rc4

v2.6.28-rc5

v2.6.28-rc6

v2.6.28-rc7

v2.6.28-rc8

v2.6.28-rc9

v2.6.29

v2.6.29-rc1

v2.6.29-rc2

v2.6.29-rc3

v2.6.29-rc4

v2.6.29-rc5

v2.6.29-rc6

v2.6.29-rc7

v2.6.29-rc8

v2.6.30

v2.6.30-rc1

v2.6.30-rc2

v2.6.30-rc3

v2.6.30-rc4

v2.6.30-rc5

v2.6.30-rc6

v2.6.30-rc7

v2.6.30-rc8

v2.6.31

v2.6.31-rc1

v2.6.31-rc2

v2.6.31-rc3

v2.6.31-rc4

v2.6.31-rc5

v2.6.31-rc6

v2.6.31-rc7

v2.6.31-rc8

v2.6.31-rc9

v2.6.32

v2.6.32-rc1

v2.6.32-rc2

v2.6.32-rc3

v2.6.32-rc4

v2.6.32-rc5

v2.6.32-rc6

v2.6.32-rc7

v2.6.32-rc8

v2.6.33

v2.6.33-rc1

v2.6.33-rc2

v2.6.33-rc3

v2.6.33-rc4

v2.6.33-rc5

v2.6.33-rc6

v2.6.33-rc7

v2.6.33-rc8

v2.6.34

v2.6.34-rc1

v2.6.34-rc2

v2.6.34-rc3

v2.6.34-rc4

v2.6.34-rc5

v2.6.34-rc6

v2.6.34-rc7

v2.6.35

v2.6.35-rc1

v2.6.35-rc2

v2.6.35-rc3

v2.6.35-rc4

v2.6.35-rc5

v2.6.35-rc6

v2.6.36

v2.6.36-rc1

v2.6.36-rc2

v2.6.36-rc3

v2.6.36-rc4

v2.6.36-rc5

v2.6.36-rc6

v2.6.36-rc7

v2.6.36-rc8

v2.6.37

v2.6.37-rc1

v2.6.37-rc2

v2.6.37-rc3

v2.6.37-rc4

v2.6.37-rc5

v2.6.37-rc6

v2.6.37-rc7

v2.6.37-rc8

v2.6.38

v2.6.38-rc1

v2.6.38-rc2

v2.6.38-rc3

v2.6.38-rc4

v2.6.38-rc5

v2.6.38-rc6

v2.6.38-rc7

v2.6.38-rc8

v2.6.39

v2.6.39-rc1

v2.6.39-rc2

v2.6.39-rc3

v2.6.39-rc4

v2.6.39-rc5

v2.6.39-rc6

v2.6.39-rc7

v3.*

v3.0

v3.0-rc1

v3.0-rc2

v3.0-rc3

v3.0-rc4

v3.0-rc5

v3.0-rc6

v3.0-rc7

v3.1

v3.1-rc1

v3.1-rc10

v3.1-rc2

v3.1-rc3

v3.1-rc4

v3.1-rc5

v3.1-rc6

v3.1-rc7

v3.1-rc8

v3.1-rc9

v3.10

v3.10-rc1

v3.10-rc2

v3.10-rc3

v3.10-rc4

v3.10-rc5

v3.10-rc6

v3.10-rc7

v3.10.1

v3.10.10

v3.10.11

v3.10.12

v3.10.13

v3.10.14

v3.10.15

v3.10.16

v3.10.17

v3.10.18

v3.10.19

v3.10.2

v3.10.20

v3.10.21

v3.10.22

v3.10.23

v3.10.24

v3.10.25

v3.10.26

v3.10.27

v3.10.28

v3.10.29

v3.10.3

v3.10.30

v3.10.31

v3.10.32

v3.10.33

v3.10.4

v3.10.5

v3.10.6

v3.10.7

v3.10.8

v3.10.9

v3.11

v3.11-rc1

v3.11-rc2

v3.11-rc3

v3.11-rc4

v3.11-rc5

v3.11-rc6

v3.11-rc7

v3.12

v3.12-rc1

v3.12-rc2

v3.12-rc3

v3.12-rc4

v3.12-rc5

v3.12-rc6

v3.12-rc7

v3.12.1

v3.12.10

v3.12.11

v3.12.12

v3.12.13

v3.12.14

v3.12.2

v3.12.3

v3.12.4

v3.12.5

v3.12.6

v3.12.7

v3.12.8

v3.12.9

v3.13

v3.13-rc1

v3.13-rc2

v3.13-rc3

v3.13-rc4

v3.13-rc5

v3.13-rc6

v3.13-rc7

v3.13-rc8

v3.13.1

v3.13.2

v3.13.3

v3.13.4

v3.13.5

v3.13.6

v3.2

v3.2-rc1

v3.2-rc2

v3.2-rc3

v3.2-rc4

v3.2-rc5

v3.2-rc6

v3.2-rc7

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.14

v3.2.15

v3.2.16

v3.2.17

v3.2.18

v3.2.19

v3.2.2

v3.2.20

v3.2.21

v3.2.22

v3.2.23

v3.2.24

v3.2.25

v3.2.26

v3.2.27

v3.2.28

v3.2.29

v3.2.3

v3.2.30

v3.2.31

v3.2.32

v3.2.33

v3.2.34

v3.2.35

v3.2.36

v3.2.37

v3.2.38

v3.2.39

v3.2.4

v3.2.40

v3.2.41

v3.2.42

v3.2.43

v3.2.44

v3.2.45

v3.2.46

v3.2.47

v3.2.48

v3.2.49

v3.2.5

v3.2.50

v3.2.51

v3.2.52

v3.2.53

v3.2.54

v3.2.55

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3

v3.3-rc1

v3.3-rc2

v3.3-rc3

v3.3-rc4

v3.3-rc5

v3.3-rc6

v3.3-rc7

v3.4

v3.4-rc1

v3.4-rc2

v3.4-rc3

v3.4-rc4

v3.4-rc5

v3.4-rc6

v3.4-rc7

v3.4.1

v3.4.10

v3.4.11

v3.4.12

v3.4.13

v3.4.14

v3.4.15

v3.4.16

v3.4.17

v3.4.18

v3.4.19

v3.4.2

v3.4.20

v3.4.21

v3.4.22

v3.4.23

v3.4.24

v3.4.25

v3.4.26

v3.4.27

v3.4.28

v3.4.29

v3.4.3

v3.4.30

v3.4.31

v3.4.32

v3.4.33

v3.4.34

v3.4.35

v3.4.36

v3.4.37

v3.4.38

v3.4.39

v3.4.4

v3.4.40

v3.4.41

v3.4.42

v3.4.43

v3.4.44

v3.4.45

v3.4.46

v3.4.47

v3.4.48

v3.4.49

v3.4.5

v3.4.50

v3.4.51

v3.4.52

v3.4.53

v3.4.54

v3.4.55

v3.4.56

v3.4.57

v3.4.58

v3.4.59

v3.4.6

v3.4.60

v3.4.61

v3.4.62

v3.4.63

v3.4.64

v3.4.65

v3.4.66

v3.4.67

v3.4.68

v3.4.69

v3.4.7

v3.4.70

v3.4.71

v3.4.72

v3.4.73

v3.4.74

v3.4.75

v3.4.76

v3.4.77

v3.4.78

v3.4.79

v3.4.8

v3.4.80

v3.4.81

v3.4.82

v3.4.83

v3.4.9

v3.5

v3.5-rc1

v3.5-rc2

v3.5-rc3

v3.5-rc4

v3.5-rc5

v3.5-rc6

v3.5-rc7

v3.6

v3.6-rc1

v3.6-rc2

v3.6-rc3

v3.6-rc4

v3.6-rc5

v3.6-rc6

v3.6-rc7

v3.7

v3.7-rc1

v3.7-rc2

v3.7-rc3

v3.7-rc4

v3.7-rc5

v3.7-rc6

v3.7-rc7

v3.7-rc8

v3.8

v3.8-rc1

v3.8-rc2

v3.8-rc3

v3.8-rc4

v3.8-rc5

v3.8-rc6

v3.8-rc7

v3.9

v3.9-rc1

v3.9-rc2

v3.9-rc3

v3.9-rc4

v3.9-rc5

v3.9-rc6

v3.9-rc7

v3.9-rc8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40912.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.14.0

Fixed

4.19.317

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.279

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.221

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.162

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.95

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.35

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.9.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40912.json"