CVE-2026-46031

In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Reinstate disabling of BHs around IRQ handler

If the driver executes ks8851 irq() AND a TX packet has been sent, then the driver enables TX queue via netif wake queue() which schedules TX softirq to queue packets for this device.

If CONFIG PREEMPT RT=y is set AND a packet has also been received by the MAC, then ks8851 rx pkts() calls netdev alloc skb ip align() to allocate SKBs for the received packets. If netdev alloc skb ip align() is called with BH enabled, then local bh enable() at the end of netdev alloc skb ip align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851 start xmit par(). The ks8851 start xmit par() will try to lock struct ks8851 net par .lock spinlock, which is already locked by ks8851 irq() from which ks8851 start xmit par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below.

If CONFIG PREEMPT RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin unlock bh(&ks->statelock) in ks8851 irq(), which triggers the deadlock as well.

Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net tx action() softirq from triggering during these critical sections. The net tx action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed.

schedule from schedule rtlock+0x1c/0x34 schedule rtlock from rtlock slowlock locked+0x548/0x904 rtlock slowlock locked from rt spin lock+0x60/0x9c rt spin lock from ks8851 start xmit par+0x74/0x1a8 ks8851 start xmit par from netdev start xmit+0x20/0x44 netdev start xmit from dev hard start xmit+0xd0/0x188 dev hard start xmit from sch direct xmit+0xb8/0x25c sch direct xmit from qdisc run+0x1f8/0x4ec qdisc run from qdisc run+0x1c/0x28 qdisc run from net tx action+0x1f0/0x268 net tx action from handle softirqs+0x1a4/0x270 handle softirqs from local bh enable ip+0xcc/0xe0 local bh enable ip from alloc skb+0xd8/0x128 alloc skb from netdev alloc skb+0x3c/0x19c netdev alloc skb from ks8851 irq+0x388/0x4d4 ks8851 irq from irq thread fn+0x24/0x64 irq thread fn from irq thread+0x178/0x28c irq thread from kthread+0x12c/0x138 kthread from ret from fork+0x14/0x28