From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2720213C3DD for ; Wed, 17 Apr 2024 10:28:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713349735; cv=none; b=jP7bPJqRS/4GNjmMPMsfmuQFr/qS0gCp0lCyPZ9f4jzQZhzS2LZfIVO4uopH44DgugDeh9FlQ+uDH7Ao52WZROfV5vXhx0GWnyy+1+/aOP3DhODMqueJGMW/Tx1Xw0t78JWwiXNhQfCtDst6oYfXFjkb4bdMl33I3KZcBwxl1zg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713349735; c=relaxed/simple; bh=iHYXsaM8YR85Otk/oD1QmsdHGUM6AnezGXWO/IKnV08=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NOY9tWWipyt7Kxv1MvYd4BL45AwvYuEV/SYM2GOm/Lou0PK8feNEnbWbmYD44nwl45F1B8esnycm/0QP32U7mPJGWEm7E+VKzbCIsB5kI8oUHGn+57VanveTINmN5kiWKFpueOg+AR3mlGwmYd7hDlH3RuQh4KFKGd+hcmNRHw4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ys7MVqjE; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ys7MVqjE" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E152C4AF09; Wed, 17 Apr 2024 10:28:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1713349734; bh=iHYXsaM8YR85Otk/oD1QmsdHGUM6AnezGXWO/IKnV08=; h=From:To:Cc:Subject:Date:Reply-to:From; b=ys7MVqjEOQb4pf+L7AW66Cco5i5iqUn8gy4Y8KHdIqNL3ha3/IldIBvWa8SU73gH2 icDGiQXUWBef+6oNIZlHpzVjXU1b4ORhnIbrKBcEq+bm+RmNilIk4P2tC17XsYxtrP eCHkX67OVHU1M6ynxlimIzSZv1gQarMrzKYPh7lE= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-52644: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled Date: Wed, 17 Apr 2024 12:28:33 +0200 Message-ID: <2024041732-CVE-2023-52644-e2a7@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=13016; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=GPN/DLlBhXu8U0AX22Aa5i4mlyhoXhFMYBZJW+/TBpU=; b=owGbwMvMwCRo6H6F97bub03G02pJDGnySwJ1frc8f3Px4BZZntmLMxXrpK7oyjju2rt5br624 069M29PdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEEr8wzE82u79Z9czv6jeS fG9LfY4zr5s84RzDgoUbAnh3rFCeG3TI6NUOTyXTz7tfnQYA X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: quoted-printable Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Log of issue before change (with kernel parameter qos=3D0): [ +5.112651] ------------[ cut here ]------------ [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __i= eee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_s= eq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt= _addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_g= eneric ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf= _defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf= _log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uin= put iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp j= oydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap bt= mtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 a= pplesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat = videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_cl= mulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suball= oc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobu= f2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_help= er cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_= common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_unco= re llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastc= harge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux= i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_powe= r_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libar= c4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore con= figfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_= keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class h= id_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10d= if_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul = crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_= intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc3= 2c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last = unloaded: b43(O)] [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O= 6.6.7 #1-NixOS [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B1= 71B, BIOS 87.0.0.0.0 06/13/2019 [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 = f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 = <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00 [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097 [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 00000000= 00000000 [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882= 0b924900 [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 00000000= 0003bfd0 [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 00000000= 00000000 [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffff= c0fa6f40 [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knl= GS:0000000000000000 [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007fafda7ae008 CR3: 000000046d220005 CR4: 00000000= 000606e0 [ +0.000002] Call Trace: [ +0.000003] [ +0.000001] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000044] ? __warn+0x81/0x130 [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000045] ? report_bug+0x171/0x1a0 [ +0.000004] ? handle_bug+0x41/0x70 [ +0.000004] ? exc_invalid_op+0x17/0x70 [ +0.000003] ? asm_exc_invalid_op+0x1a/0x20 [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000043] ieee80211_wake_queue+0x4a/0x80 [mac80211] [ +0.000044] b43_dma_handle_txstatus+0x29c/0x3a0 [b43] [ +0.000016] ? __pfx_irq_thread_fn+0x10/0x10 [ +0.000002] b43_handle_txstatus+0x61/0x80 [b43] [ +0.000012] b43_interrupt_thread_handler+0x3f9/0x6b0 [b43] [ +0.000011] irq_thread_fn+0x23/0x60 [ +0.000002] irq_thread+0xfe/0x1c0 [ +0.000002] ? __pfx_irq_thread_dtor+0x10/0x10 [ +0.000001] ? __pfx_irq_thread+0x10/0x10 [ +0.000001] kthread+0xe8/0x120 [ +0.000003] ? __pfx_kthread+0x10/0x10 [ +0.000003] ret_from_fork+0x34/0x50 [ +0.000002] ? __pfx_kthread+0x10/0x10 [ +0.000002] ret_from_fork_asm+0x1b/0x30 [ +0.000004] [ +0.000001] ---[ end trace 0000000000000000 ]--- [ +0.000065] ------------[ cut here ]------------ [ +0.000001] WARNING: CPU: 0 PID: 56077 at net/mac80211/util.c:514 __i= eee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000077] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_s= eq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt= _addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_g= eneric ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf= _defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf= _log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uin= put iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp j= oydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap bt= mtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 a= pplesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat = videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_cl= mulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suball= oc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobu= f2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 [ +0.000073] videodev bridge snd_hda_core rapl crc16 drm_display_help= er cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_= common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_unco= re llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastc= harge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux= i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_powe= r_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libar= c4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore con= figfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_= keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class h= id_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10d= if_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul = crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_= intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common [ +0.000084] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc3= 2c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last = unloaded: b43] [ +0.000012] CPU: 0 PID: 56077 Comm: kworker/u16:17 Tainted: G = W O 6.6.7 #1-NixOS [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B1= 71B, BIOS 87.0.0.0.0 06/13/2019 [ +0.000001] Workqueue: phy7 b43_tx_work [b43] [ +0.000019] RIP: 0010:__ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000076] Code: 74 11 48 8b 78 08 0f b7 d6 89 e9 4c 89 e6 e8 ab f4 = 00 00 65 ff 0d 9c b7 34 3f 0f 85 55 ff ff ff 0f 1f 44 00 00 e9 4b ff ff ff = <0f> 0b 5b 5d 41 5c 41 5d c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 [ +0.000002] RSP: 0000:ffffc90004157d50 EFLAGS: 00010097 [ +0.000002] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 00000000= 00000000 [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882= d65d0900 [ +0.000002] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000= 00000001 [ +0.000001] R10: 00000000000000ff R11: ffff88814d0155a0 R12: ffff8882= d65d0900 [ +0.000002] R13: 0000000000000000 R14: ffff8881002d2800 R15: 00000000= 000000d0 [ +0.000002] FS: 0000000000000000(0000) GS:ffff88846f800000(0000) knl= GS:0000000000000000 [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000002] CR2: 00007f2e8c10c880 CR3: 0000000385b66005 CR4: 00000000= 000606f0 [ +0.000002] Call Trace: [ +0.000001] [ +0.000001] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000075] ? __warn+0x81/0x130 [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000075] ? report_bug+0x171/0x1a0 [ +0.000005] ? handle_bug+0x41/0x70 [ +0.000003] ? exc_invalid_op+0x17/0x70 [ +0.000004] ? asm_exc_invalid_op+0x1a/0x20 [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000076] ieee80211_stop_queue+0x36/0x50 [mac80211] [ +0.000077] b43_dma_tx+0x550/0x780 [b43] [ +0.000023] b43_tx_work+0x90/0x130 [b43] [ +0.000018] process_one_work+0x174/0x340 [ +0.000003] worker_thread+0x27b/0x3a0 [ +0.000004] ? __pfx_worker_thread+0x10/0x10 [ +0.000002] kthread+0xe8/0x120 [ +0.000003] ? __pfx_kthread+0x10/0x10 [ +0.000004] ret_from_fork+0x34/0x50 [ +0.000002] ? __pfx_kthread+0x10/0x10 [ +0.000003] ret_from_fork_asm+0x1b/0x30 [ +0.000006] [ +0.000001] ---[ end trace 0000000000000000 ]--- The Linux kernel CVE team has assigned CVE-2023-52644 to this issue. Affected and fixed versions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 4.19.311 = with commit 1824f942527f Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 5.4.273 w= ith commit 31aaf17200c3 Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 5.10.214 = with commit 49f067726ab0 Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 5.15.153 = with commit 04a2b6eff2ae Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 6.1.83 wi= th commit c67698325c68 Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 6.6.23 wi= th commit bc845e2e42ca Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 6.7.11 wi= th commit 4049a9f80513 Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 6.8.2 wit= h commit f1cf77bb8700 Issue introduced in 2.6.26 with commit e6f5b934fba8 and fixed in 6.9-rc1 w= ith commit 9636951e4468 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=3DCVE-2023-52644 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The file(s) affected by this issue are: drivers/net/wireless/broadcom/b43/b43.h drivers/net/wireless/broadcom/b43/dma.c Mitigation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/1824f942527f784a19e01eac2d9679a21623d010 https://git.kernel.org/stable/c/31aaf17200c336fe258b70d39c40645ae19d0240 https://git.kernel.org/stable/c/49f067726ab01c87cf57566797a8a719badbbf08 https://git.kernel.org/stable/c/04a2b6eff2ae1c19cb7f41e803bcbfaf94c06455 https://git.kernel.org/stable/c/c67698325c68f8768db858f5c87c34823421746d https://git.kernel.org/stable/c/bc845e2e42cae95172c04bf29807c480f51a2a83 https://git.kernel.org/stable/c/4049a9f80513a6739c5677736a4c88f96df1b436 https://git.kernel.org/stable/c/f1cf77bb870046a6111a604f7f7fe83d1c8c9610 https://git.kernel.org/stable/c/9636951e4468f02c72cc75a82dc65d003077edbc