CVE-2024-42114

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: restrict NL80211ATTRTXQ_QUANTUM values

syzbot is able to trigger softlockups, setting NL80211ATTRTXQ_QUANTUM to 2^31.

We had a similar issue in schfq, fixed with commit d9e15a273306 ("pktsched: fq: do not accept silly TCAFQQUANTUM")

watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24] Modules linked in: irq event stamp: 131135 hardirqs last enabled at (131134): [<ffff80008ae8778c>] _exittokernelmode arch/arm64/kernel/entry-common.c:85 [inline] hardirqs last enabled at (131134): [<ffff80008ae8778c>] exittokernelmode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95 hardirqs last disabled at (131135): [<ffff80008ae85378>] _el1irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (131135): [<ffff80008ae85378>] el1interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (125892): [<ffff80008907e82c>] neighhhinit net/core/neighbour.c:1538 [inline] softirqs last enabled at (125892): [<ffff80008907e82c>] neighresolveoutput+0x268/0x658 net/core/neighbour.c:1553 softirqs last disabled at (125896): [<ffff80008904166c>] localbhdisable+0x10/0x34 include/linux/bottomhalf.h:19 CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: mld mldifcwork pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : _listdel include/linux/list.h:195 [inline] pc : _listdelentry include/linux/list.h:218 [inline] pc : listmovetail include/linux/list.h:310 [inline] pc : fqtindequeue include/net/fqimpl.h:112 [inline] pc : ieee80211txdequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 lr : _listdelentry include/linux/list.h:218 [inline] lr : listmovetail include/linux/list.h:310 [inline] lr : fqtindequeue include/net/fqimpl.h:112 [inline] lr : ieee80211txdequeue+0x67c/0x3b4c net/mac80211/tx.c:3854 sp : ffff800093d36700 x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000 x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0 x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0 x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0 x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8 x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470 Call trace: _listdel include/linux/list.h:195 [inline] _listdelentry include/linux/list.h:218 [inline] listmovetail include/linux/list.h:310 [inline] fqtindequeue include/net/fqimpl.h:112 [inline] ieee80211txdequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854 waketxpushqueue net/mac80211/util.c:294 [inline] ieee80211handlewaketxqueue+0x118/0x274 net/mac80211/util.c:315 drvwaketxqueue net/mac80211/driver-ops.h:1350 [inline] scheduleandwaketxq net/mac80211/driver-ops.h:1357 [inline] ieee80211queueskb+0x18e8/0x2244 net/mac80211/tx.c:1664 ieee80211tx+0x260/0x400 net/mac80211/tx.c:1966 ieee80211xmit+0x278/0x354 net/mac80211/tx.c:2062 _ieee80211subifstartxmit+0xab8/0x122c net/mac80211/tx.c:4338 ieee80211subifstartxmit+0xe0/0x438 net/mac80211/tx.c:4532 _netdevstartxmit include/linux/netdevice.h:4903 [inline] netdevstartxmit include/linux/netdevice.h:4917 [inline] xmitone net/core/dev.c:3531 [inline] devhardstartxmit+0x27c/0x938 net/core/dev.c:3547 _devqueuexmit+0x1678/0x33fc net/core/dev.c:4341 devqueuexmit include/linux/netdevice.h:3091 [inline] neighresolveoutput+0x558/0x658 net/core/neighbour.c:1563 neighoutput include/net/neighbour.h:542 [inline] ip6_fini ---truncated---