cve/published/2022/CVE-2022-49130.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: mhi: use mhi_sync_power_up()\n\nIf amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The\nreason for that was that we were using mhi_async_power_up() which does not\ncheck any errors. But mhi_sync_power_up() on the other hand does check for\nerrors so let's use that to fix the crash.\n\nI was not able to find a reason why an async version was used.\nath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from\nath11k_hif_power_up(), which can sleep. So sync version should be safe to use\nhere.\n\n[  145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI\n[  145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[  145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G        W         5.16.0-wt-ath+ #567\n[  145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[  145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k]\n[  145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08\n[  145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246\n[  145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455\n[  145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80\n[  145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497\n[  145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000\n[  145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8\n[  145.570465] FS:  00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000\n[  145.570519] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0\n[  145.570623] Call Trace:\n[  145.570675]  <TASK>\n[  145.570727]  ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k]\n[  145.570797]  ath11k_ce_tx_process_cb+0x356/0x860 [ath11k]\n[  145.570864]  ? tasklet_init+0x150/0x150\n[  145.570919]  ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k]\n[  145.570986]  ? tasklet_clear_sched+0x42/0xe0\n[  145.571042]  ? tasklet_kill+0xe9/0x1b0\n[  145.571095]  ? tasklet_clear_sched+0xe0/0xe0\n[  145.571148]  ? irq_has_action+0x120/0x120\n[  145.571202]  ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k]\n[  145.571270]  ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci]\n[  145.571345]  ath11k_core_stop+0x8a/0xc0 [ath11k]\n[  145.571434]  ath11k_core_deinit+0x9e/0x150 [ath11k]\n[  145.571499]  ath11k_pci_remove+0xd2/0x260 [ath11k_pci]\n[  145.571553]  pci_device_remove+0x9a/0x1c0\n[  145.571605]  __device_release_driver+0x332/0x660\n[  145.571659]  driver_detach+0x1e7/0x2c0\n[  145.571712]  bus_remove_driver+0xe2/0x2d0\n[  145.571772]  pci_unregister_driver+0x21/0x250\n[  145.571826]  __do_sys_delete_module+0x30a/0x4b0\n[  145.571879]  ? free_module+0xac0/0xac0\n[  145.571933]  ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[  145.571986]  ? syscall_enter_from_user_mode+0x1d/0x50\n[  145.572039]  ? lockdep_hardirqs_on+0x79/0x100\n[  145.572097]  do_syscall_64+0x3b/0x90\n[  145.572153]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/wireless/ath/ath11k/mhi.c"
                ],
                "versions": [
                   {
                      "version": "d5c65159f2895379e11ca13f62feabe93278985d",
                      "lessThan": "339bd0b55ecdd0f7f341e9357c4cfde799de9418",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "d5c65159f2895379e11ca13f62feabe93278985d",
                      "lessThan": "20d01a11efde2e05e47d5c66101f5c26eaca68e2",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "d5c65159f2895379e11ca13f62feabe93278985d",
                      "lessThan": "3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "d5c65159f2895379e11ca13f62feabe93278985d",
                      "lessThan": "646d533af2911be1184eaee8c900b7eb8ecc4396",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "d5c65159f2895379e11ca13f62feabe93278985d",
                      "lessThan": "3df6d74aedfdca919cca475d15dfdbc8b05c9e5d",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/wireless/ath/ath11k/mhi.c"
                ],
                "versions": [
                   {
                      "version": "5.6",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "5.6",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.10.111",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.34",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.16.20",
                      "lessThanOrEqual": "5.16.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.17.3",
                      "lessThanOrEqual": "5.17.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.18",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.10.111"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.15.34"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.16.20"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.17.3"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.6",
                            "versionEndExcluding": "5.18"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/339bd0b55ecdd0f7f341e9357c4cfde799de9418"
             },
             {
                "url": "https://git.kernel.org/stable/c/20d01a11efde2e05e47d5c66101f5c26eaca68e2"
             },
             {
                "url": "https://git.kernel.org/stable/c/3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849"
             },
             {
                "url": "https://git.kernel.org/stable/c/646d533af2911be1184eaee8c900b7eb8ecc4396"
             },
             {
                "url": "https://git.kernel.org/stable/c/3df6d74aedfdca919cca475d15dfdbc8b05c9e5d"
             }
          ],
          "title": "ath11k: mhi: use mhi_sync_power_up()",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2022-49130",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: mhi: use mhi_sync_power_up()\n\nIf amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The\nreason for that was that we were using mhi_async_power_up() which does not\ncheck any errors. But mhi_sync_power_up() on the other hand does check for\nerrors so let's use that to fix the crash.\n\nI was not able to find a reason why an async version was used.\nath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from\nath11k_hif_power_up(), which can sleep. So sync version should be safe to use\nhere.\n\n[ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI\n[ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567\n[ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k]\n[ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08\n[ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246\n[ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455\n[ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80\n[ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497\n[ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000\n[ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8\n[ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000\n[ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0\n[ 145.570623] Call Trace:\n[ 145.570675] <TASK>\n[ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k]\n[ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k]\n[ 145.570864] ? tasklet_init+0x150/0x150\n[ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k]\n[ 145.570986] ? tasklet_clear_sched+0x42/0xe0\n[ 145.571042] ? tasklet_kill+0xe9/0x1b0\n[ 145.571095] ? tasklet_clear_sched+0xe0/0xe0\n[ 145.571148] ? irq_has_action+0x120/0x120\n[ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k]\n[ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci]\n[ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k]\n[ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k]\n[ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci]\n[ 145.571553] pci_device_remove+0x9a/0x1c0\n[ 145.571605] __device_release_driver+0x332/0x660\n[ 145.571659] driver_detach+0x1e7/0x2c0\n[ 145.571712] bus_remove_driver+0xe2/0x2d0\n[ 145.571772] pci_unregister_driver+0x21/0x250\n[ 145.571826] __do_sys_delete_module+0x30a/0x4b0\n[ 145.571879] ? free_module+0xac0/0xac0\n[ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 145.572039] ? lockdep_hardirqs_on+0x79/0x100\n[ 145.572097] do_syscall_64+0x3b/0x90\n[ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/wireless/ath/ath11k/mhi.c"
	],
	"versions": [
	{
	"version": "d5c65159f2895379e11ca13f62feabe93278985d",
	"lessThan": "339bd0b55ecdd0f7f341e9357c4cfde799de9418",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "d5c65159f2895379e11ca13f62feabe93278985d",
	"lessThan": "20d01a11efde2e05e47d5c66101f5c26eaca68e2",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "d5c65159f2895379e11ca13f62feabe93278985d",
	"lessThan": "3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "d5c65159f2895379e11ca13f62feabe93278985d",
	"lessThan": "646d533af2911be1184eaee8c900b7eb8ecc4396",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "d5c65159f2895379e11ca13f62feabe93278985d",
	"lessThan": "3df6d74aedfdca919cca475d15dfdbc8b05c9e5d",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/wireless/ath/ath11k/mhi.c"
	],
	"versions": [
	{
	"version": "5.6",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "5.6",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.10.111",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.34",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.16.20",
	"lessThanOrEqual": "5.16.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.17.3",
	"lessThanOrEqual": "5.17.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.18",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.10.111"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.15.34"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.16.20"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.17.3"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.6",
	"versionEndExcluding": "5.18"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/339bd0b55ecdd0f7f341e9357c4cfde799de9418"
	},
	{
	"url": "https://git.kernel.org/stable/c/20d01a11efde2e05e47d5c66101f5c26eaca68e2"
	},
	{
	"url": "https://git.kernel.org/stable/c/3fd7d50384c3808b7f7fa135aa9bb5feb1cb9849"
	},
	{
	"url": "https://git.kernel.org/stable/c/646d533af2911be1184eaee8c900b7eb8ecc4396"
	},
	{
	"url": "https://git.kernel.org/stable/c/3df6d74aedfdca919cca475d15dfdbc8b05c9e5d"
	}
	],
	"title": "ath11k: mhi: use mhi_sync_power_up()",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2022-49130",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}