CVE-2021-46970

Summary

In the Linux kernel, the following vulnerability has been resolved:

bus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue

A recent change created a dedicated workqueue for the state-change work with WQ_HIGHPRI (no strong reason for that) and WQ_MEM_RECLAIM flags, but the state-change work (mhi_pm_st_worker) does not guarantee forward progress under memory pressure, and will even wait on various memory allocations when e.g. creating devices, loading firmware, etc… The work is then not part of a memory reclaim path…

Moreover, this causes a warning in check_flush_dependency() since we end up in code that flushes a non-reclaim workqueue:

[ 40.969601] workqueue: WQ_MEM_RECLAIM mhi_hiprio_wq:mhi_pm_st_worker [mhi] is flushing !WQ_MEM_RECLAIM events_highpri:flush_backlog [ 40.969612] WARNING: CPU: 4 PID: 158 at kernel/workqueue.c:2607 check_flush_dependency+0x11c/0x140 [ 40.969733] Call Trace: [ 40.969740] __flush_work+0x97/0x1d0 [ 40.969745] ? wake_up_process+0x15/0x20 [ 40.969749] ? insert_work+0x70/0x80 [ 40.969750] ? __queue_work+0x14a/0x3e0 [ 40.969753] flush_work+0x10/0x20 [ 40.969756] rollback_registered_many+0x1c9/0x510 [ 40.969759] unregister_netdevice_queue+0x94/0x120 [ 40.969761] unregister_netdev+0x1d/0x30 [ 40.969765] mhi_net_remove+0x1a/0x40 [mhi_net] [ 40.969770] mhi_driver_remove+0x124/0x250 [mhi] [ 40.969776] device_release_driver_internal+0xf0/0x1d0 [ 40.969778] device_release_driver+0x12/0x20 [ 40.969782] bus_remove_device+0xe1/0x150 [ 40.969786] device_del+0x17b/0x3e0 [ 40.969791] mhi_destroy_device+0x9a/0x100 [mhi] [ 40.969796] ? mhi_unmap_single_use_bb+0x50/0x50 [mhi] [ 40.969799] device_for_each_child+0x5e/0xa0 [ 40.969804] mhi_pm_st_worker+0x921/0xf50 [mhi]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8f70397876872789b2a5deba804eb6216fb5deb7 < abd1510c08a13c88d24b622a83c82e87ff1d3135affected
LinuxLinux8f70397876872789b2a5deba804eb6216fb5deb7 < ed541cff35cbdb695f0c98ef506dd7218883fc07affected
LinuxLinux8f70397876872789b2a5deba804eb6216fb5deb7 < 0fccbf0a3b690b162f53b13ed8bc442ea33437dcaffected
LinuxLinux5.11affected
LinuxLinux0 < 5.11unaffected
LinuxLinux5.11.20 <= 5.11.*unaffected
LinuxLinux5.12.3 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References