CVE-2021-47349: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mwifiex: bring down link before deleting interface We can deadlock when rmmod'ing the driver or going through firmware reset, because the cfg80211_unregister_wdev() has to bring down the link for us, ... which then grab the same wiphy lock. nl80211_del_interface() already handles a very similar case, with a nice description: /* * We hold RTNL, so this is safe, without RTNL opencount cannot * reach 0, and thus the rdev cannot be deleted. * * We need to do it for the dev_close(), since that will call * the netdev notifiers, and we need to acquire the mutex there * but don't know if we get there from here or from some other * place (e.g. "ip link set ... down"). */ mutex_unlock(&rdev->wiphy.mtx); ... Do similarly for mwifiex teardown, by ensuring we bring the link down first. Sample deadlock trace: [ 247.103516] INFO: task rmmod:2119 blocked for more than 123 seconds. [ 247.110630] Not tainted 5.12.4 #5 [ 247.115796] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.124557] task:rmmod state:D stack: 0 pid: 2119 ppid: 2114 flags:0x00400208 [ 247.133905] Call trace: [ 247.136644] __switch_to+0x130/0x170 [ 247.140643] __schedule+0x714/0xa0c [ 247.144548] schedule_preempt_disabled+0x88/0xf4 [ 247.149714] __mutex_lock_common+0x43c/0x750 [ 247.154496] mutex_lock_nested+0x5c/0x68 [ 247.158884] cfg80211_netdev_notifier_call+0x280/0x4e0 [cfg80211] [ 247.165769] raw_notifier_call_chain+0x4c/0x78 [ 247.170742] call_netdevice_notifiers_info+0x68/0xa4 [ 247.176305] __dev_close_many+0x7c/0x138 [ 247.180693] dev_close_many+0x7c/0x10c [ 247.184893] unregister_netdevice_many+0xfc/0x654 [ 247.190158] unregister_netdevice_queue+0xb4/0xe0 [ 247.195424] _cfg80211_unregister_wdev+0xa4/0x204 [cfg80211] [ 247.201816] cfg80211_unregister_wdev+0x20/0x2c [cfg80211] [ 247.208016] mwifiex_del_virtual_intf+0xc8/0x188 [mwifiex] [ 247.214174] mwifiex_uninit_sw+0x158/0x1b0 [mwifiex] [ 247.219747] mwifiex_remove_card+0x38/0xa0 [mwifiex] [ 247.225316] mwifiex_pcie_remove+0xd0/0xe0 [mwifiex_pcie] [ 247.231451] pci_device_remove+0x50/0xe0 [ 247.235849] device_release_driver_internal+0x110/0x1b0 [ 247.241701] driver_detach+0x5c/0x9c [ 247.245704] bus_remove_driver+0x84/0xb8 [ 247.250095] driver_unregister+0x3c/0x60 [ 247.254486] pci_unregister_driver+0x2c/0x90 [ 247.259267] cleanup_module+0x18/0xcdc [mwifiex_pcie]
AI Analysis
Technical Summary
CVE-2021-47349 is a vulnerability identified in the Linux kernel, specifically related to the mwifiex wireless driver, which is used for Marvell WiFi chipsets. The issue arises during the teardown process of the mwifiex driver, particularly when the driver is being removed (rmmod) or during a firmware reset. The root cause is a potential deadlock condition triggered by improper handling of the link state before deleting the network interface. The vulnerability occurs because the function cfg80211_unregister_wdev(), responsible for unregistering wireless devices, attempts to bring down the link internally while holding a lock (wiphy mutex). This conflicts with the mwifiex driver's teardown sequence, which also tries to acquire the same lock, leading to a deadlock. The Linux kernel's nl80211_del_interface() function handles a similar scenario by explicitly bringing the link down before deleting the interface, thus avoiding deadlocks. However, mwifiex lacked this safeguard, causing the deadlock when the driver removal process attempts to unregister the wireless device. The deadlock manifests as the rmmod process becoming blocked indefinitely, as shown in the provided kernel stack trace, which details the mutex lock contention and the call chain leading to the hang. This can cause system instability or unresponsiveness during driver removal or firmware resets. Although no known exploits are reported in the wild, the vulnerability affects the stability and reliability of systems using the affected mwifiex driver versions. The affected versions are identified by specific Linux kernel commits, and the issue has been addressed by modifying the mwifiex teardown code to bring down the link before deleting the interface, aligning with the approach used in nl80211_del_interface().
Potential Impact
For European organizations, the impact of CVE-2021-47349 primarily concerns systems utilizing Linux kernels with the vulnerable mwifiex driver, commonly found in devices with Marvell WiFi chipsets. The deadlock can cause prolonged system hangs or failures during driver removal or firmware resets, potentially leading to denial of service conditions on affected devices. This can disrupt network connectivity, especially in environments relying on wireless communication for critical operations such as industrial control systems, enterprise wireless infrastructure, or embedded Linux devices in IoT deployments. Although the vulnerability does not directly lead to privilege escalation or data breaches, the resulting system instability can affect operational continuity, increase maintenance overhead, and reduce system availability. European organizations with large-scale Linux deployments, including telecommunications providers, manufacturing plants, and public sector entities, may experience operational disruptions if devices require driver reloads or firmware updates. Moreover, the inability to safely remove or reset the driver could complicate patch management and incident response activities. Given the widespread use of Linux in European IT infrastructure and embedded systems, the vulnerability's impact is significant in terms of reliability and service availability rather than direct compromise.
Mitigation Recommendations
To mitigate CVE-2021-47349, European organizations should ensure that Linux systems using the mwifiex driver are updated to kernel versions where the fix has been applied. Specifically, the mwifiex driver teardown process must be patched to bring down the wireless link before deleting the interface, preventing the deadlock. Organizations should: 1) Monitor and apply Linux kernel updates from trusted sources that include the fix for this vulnerability. 2) For embedded or custom Linux distributions, rebuild the kernel with the patched mwifiex driver code. 3) Avoid manual removal of the mwifiex driver module during critical operational periods to reduce risk of system hangs. 4) Implement robust monitoring to detect hung processes related to driver removal or firmware resets, enabling timely intervention. 5) Test firmware updates and driver reload procedures in controlled environments before deployment to production systems. 6) Where possible, consider alternative wireless drivers or hardware that do not exhibit this issue, especially in critical infrastructure. 7) Maintain comprehensive backup and recovery plans to address potential system unavailability caused by this deadlock. These steps go beyond generic advice by focusing on proactive patch management, operational controls, and contingency planning tailored to the nature of this deadlock vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2021-47349: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mwifiex: bring down link before deleting interface We can deadlock when rmmod'ing the driver or going through firmware reset, because the cfg80211_unregister_wdev() has to bring down the link for us, ... which then grab the same wiphy lock. nl80211_del_interface() already handles a very similar case, with a nice description: /* * We hold RTNL, so this is safe, without RTNL opencount cannot * reach 0, and thus the rdev cannot be deleted. * * We need to do it for the dev_close(), since that will call * the netdev notifiers, and we need to acquire the mutex there * but don't know if we get there from here or from some other * place (e.g. "ip link set ... down"). */ mutex_unlock(&rdev->wiphy.mtx); ... Do similarly for mwifiex teardown, by ensuring we bring the link down first. Sample deadlock trace: [ 247.103516] INFO: task rmmod:2119 blocked for more than 123 seconds. [ 247.110630] Not tainted 5.12.4 #5 [ 247.115796] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.124557] task:rmmod state:D stack: 0 pid: 2119 ppid: 2114 flags:0x00400208 [ 247.133905] Call trace: [ 247.136644] __switch_to+0x130/0x170 [ 247.140643] __schedule+0x714/0xa0c [ 247.144548] schedule_preempt_disabled+0x88/0xf4 [ 247.149714] __mutex_lock_common+0x43c/0x750 [ 247.154496] mutex_lock_nested+0x5c/0x68 [ 247.158884] cfg80211_netdev_notifier_call+0x280/0x4e0 [cfg80211] [ 247.165769] raw_notifier_call_chain+0x4c/0x78 [ 247.170742] call_netdevice_notifiers_info+0x68/0xa4 [ 247.176305] __dev_close_many+0x7c/0x138 [ 247.180693] dev_close_many+0x7c/0x10c [ 247.184893] unregister_netdevice_many+0xfc/0x654 [ 247.190158] unregister_netdevice_queue+0xb4/0xe0 [ 247.195424] _cfg80211_unregister_wdev+0xa4/0x204 [cfg80211] [ 247.201816] cfg80211_unregister_wdev+0x20/0x2c [cfg80211] [ 247.208016] mwifiex_del_virtual_intf+0xc8/0x188 [mwifiex] [ 247.214174] mwifiex_uninit_sw+0x158/0x1b0 [mwifiex] [ 247.219747] mwifiex_remove_card+0x38/0xa0 [mwifiex] [ 247.225316] mwifiex_pcie_remove+0xd0/0xe0 [mwifiex_pcie] [ 247.231451] pci_device_remove+0x50/0xe0 [ 247.235849] device_release_driver_internal+0x110/0x1b0 [ 247.241701] driver_detach+0x5c/0x9c [ 247.245704] bus_remove_driver+0x84/0xb8 [ 247.250095] driver_unregister+0x3c/0x60 [ 247.254486] pci_unregister_driver+0x2c/0x90 [ 247.259267] cleanup_module+0x18/0xcdc [mwifiex_pcie]
AI-Powered Analysis
Technical Analysis
CVE-2021-47349 is a vulnerability identified in the Linux kernel, specifically related to the mwifiex wireless driver, which is used for Marvell WiFi chipsets. The issue arises during the teardown process of the mwifiex driver, particularly when the driver is being removed (rmmod) or during a firmware reset. The root cause is a potential deadlock condition triggered by improper handling of the link state before deleting the network interface. The vulnerability occurs because the function cfg80211_unregister_wdev(), responsible for unregistering wireless devices, attempts to bring down the link internally while holding a lock (wiphy mutex). This conflicts with the mwifiex driver's teardown sequence, which also tries to acquire the same lock, leading to a deadlock. The Linux kernel's nl80211_del_interface() function handles a similar scenario by explicitly bringing the link down before deleting the interface, thus avoiding deadlocks. However, mwifiex lacked this safeguard, causing the deadlock when the driver removal process attempts to unregister the wireless device. The deadlock manifests as the rmmod process becoming blocked indefinitely, as shown in the provided kernel stack trace, which details the mutex lock contention and the call chain leading to the hang. This can cause system instability or unresponsiveness during driver removal or firmware resets. Although no known exploits are reported in the wild, the vulnerability affects the stability and reliability of systems using the affected mwifiex driver versions. The affected versions are identified by specific Linux kernel commits, and the issue has been addressed by modifying the mwifiex teardown code to bring down the link before deleting the interface, aligning with the approach used in nl80211_del_interface().
Potential Impact
For European organizations, the impact of CVE-2021-47349 primarily concerns systems utilizing Linux kernels with the vulnerable mwifiex driver, commonly found in devices with Marvell WiFi chipsets. The deadlock can cause prolonged system hangs or failures during driver removal or firmware resets, potentially leading to denial of service conditions on affected devices. This can disrupt network connectivity, especially in environments relying on wireless communication for critical operations such as industrial control systems, enterprise wireless infrastructure, or embedded Linux devices in IoT deployments. Although the vulnerability does not directly lead to privilege escalation or data breaches, the resulting system instability can affect operational continuity, increase maintenance overhead, and reduce system availability. European organizations with large-scale Linux deployments, including telecommunications providers, manufacturing plants, and public sector entities, may experience operational disruptions if devices require driver reloads or firmware updates. Moreover, the inability to safely remove or reset the driver could complicate patch management and incident response activities. Given the widespread use of Linux in European IT infrastructure and embedded systems, the vulnerability's impact is significant in terms of reliability and service availability rather than direct compromise.
Mitigation Recommendations
To mitigate CVE-2021-47349, European organizations should ensure that Linux systems using the mwifiex driver are updated to kernel versions where the fix has been applied. Specifically, the mwifiex driver teardown process must be patched to bring down the wireless link before deleting the interface, preventing the deadlock. Organizations should: 1) Monitor and apply Linux kernel updates from trusted sources that include the fix for this vulnerability. 2) For embedded or custom Linux distributions, rebuild the kernel with the patched mwifiex driver code. 3) Avoid manual removal of the mwifiex driver module during critical operational periods to reduce risk of system hangs. 4) Implement robust monitoring to detect hung processes related to driver removal or firmware resets, enabling timely intervention. 5) Test firmware updates and driver reload procedures in controlled environments before deployment to production systems. 6) Where possible, consider alternative wireless drivers or hardware that do not exhibit this issue, especially in critical infrastructure. 7) Maintain comprehensive backup and recovery plans to address potential system unavailability caused by this deadlock. These steps go beyond generic advice by focusing on proactive patch management, operational controls, and contingency planning tailored to the nature of this deadlock vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:28:16.983Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea532
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:36:32 AM
Last updated: 8/7/2025, 7:52:58 PM
Views: 12
Related Threats
CVE-2025-7384: CWE-502 Deserialization of Untrusted Data in crmperks Database for Contact Form 7, WPforms, Elementor forms
CriticalCVE-2025-8491: CWE-352 Cross-Site Request Forgery (CSRF) in nikelschubert Easy restaurant menu manager
MediumCVE-2025-0818: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ninjateam File Manager Pro – Filester
MediumCVE-2025-8901: Out of bounds write in Google Chrome
HighCVE-2025-8882: Use after free in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.