{
  "threat_severity" : "Low",
  "public_date" : "2024-05-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mwifiex: bring down link before deleting interface",
    "id" : "2282404",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2282404"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmwifiex: bring down link before deleting interface\nWe can deadlock when rmmod'ing the driver or going through firmware\nreset, because the cfg80211_unregister_wdev() has to bring down the link\nfor us, ... which then grab the same wiphy lock.\nnl80211_del_interface() already handles a very similar case, with a nice\ndescription:\n/*\n* We hold RTNL, so this is safe, without RTNL opencount cannot\n* reach 0, and thus the rdev cannot be deleted.\n*\n* We need to do it for the dev_close(), since that will call\n* the netdev notifiers, and we need to acquire the mutex there\n* but don't know if we get there from here or from some other\n* place (e.g. \"ip link set ... down\").\n*/\nmutex_unlock(&rdev->wiphy.mtx);\n...\nDo similarly for mwifiex teardown, by ensuring we bring the link down\nfirst.\nSample deadlock trace:\n[  247.103516] INFO: task rmmod:2119 blocked for more than 123 seconds.\n[  247.110630]       Not tainted 5.12.4 #5\n[  247.115796] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[  247.124557] task:rmmod           state:D stack:    0 pid: 2119 ppid:  2114 flags:0x00400208\n[  247.133905] Call trace:\n[  247.136644]  __switch_to+0x130/0x170\n[  247.140643]  __schedule+0x714/0xa0c\n[  247.144548]  schedule_preempt_disabled+0x88/0xf4\n[  247.149714]  __mutex_lock_common+0x43c/0x750\n[  247.154496]  mutex_lock_nested+0x5c/0x68\n[  247.158884]  cfg80211_netdev_notifier_call+0x280/0x4e0 [cfg80211]\n[  247.165769]  raw_notifier_call_chain+0x4c/0x78\n[  247.170742]  call_netdevice_notifiers_info+0x68/0xa4\n[  247.176305]  __dev_close_many+0x7c/0x138\n[  247.180693]  dev_close_many+0x7c/0x10c\n[  247.184893]  unregister_netdevice_many+0xfc/0x654\n[  247.190158]  unregister_netdevice_queue+0xb4/0xe0\n[  247.195424]  _cfg80211_unregister_wdev+0xa4/0x204 [cfg80211]\n[  247.201816]  cfg80211_unregister_wdev+0x20/0x2c [cfg80211]\n[  247.208016]  mwifiex_del_virtual_intf+0xc8/0x188 [mwifiex]\n[  247.214174]  mwifiex_uninit_sw+0x158/0x1b0 [mwifiex]\n[  247.219747]  mwifiex_remove_card+0x38/0xa0 [mwifiex]\n[  247.225316]  mwifiex_pcie_remove+0xd0/0xe0 [mwifiex_pcie]\n[  247.231451]  pci_device_remove+0x50/0xe0\n[  247.235849]  device_release_driver_internal+0x110/0x1b0\n[  247.241701]  driver_detach+0x5c/0x9c\n[  247.245704]  bus_remove_driver+0x84/0xb8\n[  247.250095]  driver_unregister+0x3c/0x60\n[  247.254486]  pci_unregister_driver+0x2c/0x90\n[  247.259267]  cleanup_module+0x18/0xcdc [mwifiex_pcie]" ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47349\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47349\nhttps://lore.kernel.org/linux-cve-announce/2024052140-CVE-2021-47349-9828@gregkh/T" ],
  "name" : "CVE-2021-47349",
  "csaw" : false
}