CVE-2022-49543

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ath11k: fix the warning of dev_wake in mhi_pm_disable_transition()<br /> <br /> When test device recovery with below command, it has warning in message<br /> as below.<br /> echo assert &gt; /sys/kernel/debug/ath11k/wcn6855\ hw2.0/simulate_fw_crash<br /> echo assert &gt; /sys/kernel/debug/ath11k/qca6390\ hw2.0/simulate_fw_crash<br /> <br /> warning message:<br /> [ 1965.642121] ath11k_pci 0000:06:00.0: simulating firmware assert crash<br /> [ 1968.471364] ieee80211 phy0: Hardware restart was requested<br /> [ 1968.511305] ------------[ cut here ]------------<br /> [ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhi_pm_disable_transition+0xb37/0xda0 [mhi]<br /> [ 1968.511443] Modules linked in: ath11k_pci ath11k mac80211 libarc4 cfg80211 qmi_helpers qrtr_mhi mhi qrtr nvme nvme_core<br /> [ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579<br /> [ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021<br /> [ 1968.511704] Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi]<br /> [ 1968.511787] RIP: 0010:mhi_pm_disable_transition+0xb37/0xda0 [mhi]<br /> [ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89<br /> [ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286<br /> [ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922<br /> [ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24<br /> [ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27<br /> [ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac<br /> [ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24<br /> [ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000<br /> [ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0<br /> [ 1968.512587] Call Trace:<br /> [ 1968.512672] <br /> [ 1968.512751] ? _raw_spin_unlock_irq+0x1f/0x40<br /> [ 1968.512859] mhi_pm_st_worker+0x3ac/0x790 [mhi]<br /> [ 1968.512959] ? mhi_pm_mission_mode_transition.isra.0+0x7d0/0x7d0 [mhi]<br /> [ 1968.513063] process_one_work+0x86a/0x1400<br /> [ 1968.513184] ? pwq_dec_nr_in_flight+0x230/0x230<br /> [ 1968.513312] ? move_linked_works+0x125/0x290<br /> [ 1968.513416] worker_thread+0x6db/0xf60<br /> [ 1968.513536] ? process_one_work+0x1400/0x1400<br /> [ 1968.513627] kthread+0x241/0x2d0<br /> [ 1968.513733] ? kthread_complete_and_exit+0x20/0x20<br /> [ 1968.513821] ret_from_fork+0x22/0x30<br /> [ 1968.513924] <br /> <br /> Reason is mhi_deassert_dev_wake() from mhi_device_put() is called<br /> but mhi_assert_dev_wake() from __mhi_device_get_sync() is not called<br /> in progress of recovery. Commit 8e0559921f9a ("bus: mhi: core:<br /> Skip device wake in error or shutdown state") add check for the<br /> pm_state of mhi in __mhi_device_get_sync(), and the pm_state is not<br /> the normal state untill recovery is completed, so it leads the<br /> dev_wake is not 0 and above warning print in mhi_pm_disable_transition()<br /> while checking mhi_cntrl-&gt;dev_wake.<br /> <br /> Add check in ath11k_pci_write32()/ath11k_pci_read32() to skip call<br /> mhi_device_put() if mhi_device_get_sync() does not really do wake,<br /> then the warning gone.<br /> <br /> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2