CVE-2026-46031
published 2026-05-27CVE-2026-46031: In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net: ks8851: Reinstate disabling of BHs around IRQ handler
If the driver executes ks8851_irq() AND a TX packet has been sent, then
the driver enables TX queue via netif_wake_queue() which schedules TX
softirq to queue packets for this device.
If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
is called with BH enabled, then local_bh_enable() at the end of
netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
which may ultimately call the .xmit callback ks8851_start_xmit_par().
The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
.lock spinlock, which is already locked by ks8851_irq() from which
ks8851_start_xmit_par() was called. This leads to a deadlock, which
is reported by the kernel, including a trace listed below.
If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
can also be triggered without received packet in the RX FIFO. The
pending softirqs will be processed on return from
spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
deadlock as well.
Fix the problem by disabling BH around critical sections, including the
IRQ handler, thus preventing the net_tx_action() softirq from triggering
during these critical sections. The net_tx_action() softirq is triggered
once BH are re-enabled and at the end of the IRQ handler, once all the
other IRQ handler actions have been completed.
__schedule from schedule_rtlock+0x1c/0x34
schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
dev_hard_start_xmit from sc
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | >= 6.1.91 < 6.1.175 | 6.1.175 |
| linux | linux | >= 6.6.31 < 6.6.140 | 6.6.140 |
| linux | linux | >= 6.8.10 < 6.9 | 6.9 |
| linux | linux | >= 8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545 < 1962027a6d223f90df8b372929f9d1a8d321ad6a | 1962027a6d223f90df8b372929f9d1a8d321ad6a |
| linux | linux | >= ae87f661f3c1a3134a7ed86ab69bf9f12af88993 < 640a7631d31db87d5fa1b34cea44a99b6e78854b | 640a7631d31db87d5fa1b34cea44a99b6e78854b |
| linux | linux | >= e0863634bf9f7cf36291ebb5bfa2d16632f79c49 < 518040324067d8efaa2da1992297b7e7bf5640f4 | 518040324067d8efaa2da1992297b7e7bf5640f4 |
| linux | linux | >= e0863634bf9f7cf36291ebb5bfa2d16632f79c49 < be8aad558b4675f45b43080f81a9ffdeddea73a5 | be8aad558b4675f45b43080f81a9ffdeddea73a5 |
| linux | linux | >= e0863634bf9f7cf36291ebb5bfa2d16632f79c49 < 21f1707a8e978558dcb11b053855521e32ac0eec | 21f1707a8e978558dcb11b053855521e32ac0eec |
| linux | linux | >= e0863634bf9f7cf36291ebb5bfa2d16632f79c49 < 5c9fcac3c872224316714d0d8914d9af16c76a6d | 5c9fcac3c872224316714d0d8914d9af16c76a6d |
| linux | linux_kernel | — | — |