CVE-2022-50248

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix double free on tx path.<br /> <br /> We see kernel crashes and lockups and KASAN errors related to ax210<br /> firmware crashes. One of the KASAN dumps pointed at the tx path,<br /> and it appears there is indeed a way to double-free an skb.<br /> <br /> If iwl_mvm_tx_skb_sta returns non-zero, then the &amp;#39;skb&amp;#39; sent into the<br /> method will be freed. But, in case where we build TSO skb buffer,<br /> the skb may also be freed in error case. So, return 0 in that particular<br /> error case and do cleanup manually.<br /> <br /> BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90<br /> iwlwifi 0000:06:00.0: 0x00000000 | tsf hi<br /> Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650<br /> <br /> CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5<br /> iwlwifi 0000:06:00.0: 0x00000000 | time gp1<br /> Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x6d<br /> print_report.cold.12+0xf2/0x684<br /> iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2<br /> ? __list_del_entry_valid+0x12/0x90<br /> kasan_report+0x8b/0x180<br /> iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type<br /> ? __list_del_entry_valid+0x12/0x90<br /> __list_del_entry_valid+0x12/0x90<br /> iwlwifi 0000:06:00.0: 0x00000048 | uCode version major<br /> tcp_update_skb_after_send+0x5d/0x170<br /> __tcp_transmit_skb+0xb61/0x15c0<br /> iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor<br /> ? __tcp_select_window+0x490/0x490<br /> iwlwifi 0000:06:00.0: 0x00000420 | hw version<br /> ? trace_kmalloc_node+0x29/0xd0<br /> ? __kmalloc_node_track_caller+0x12a/0x260<br /> ? memset+0x1f/0x40<br /> ? __build_skb_around+0x125/0x150<br /> ? __alloc_skb+0x1d4/0x220<br /> ? skb_zerocopy_clone+0x55/0x230<br /> iwlwifi 0000:06:00.0: 0x00489002 | board version<br /> ? kmalloc_reserve+0x80/0x80<br /> ? rcu_read_lock_bh_held+0x60/0xb0<br /> tcp_write_xmit+0x3f1/0x24d0<br /> iwlwifi 0000:06:00.0: 0x034E001C | hcmd<br /> ? __check_object_size+0x180/0x350<br /> iwlwifi 0000:06:00.0: 0x24020000 | isr0<br /> tcp_sendmsg_locked+0x8a9/0x1520<br /> iwlwifi 0000:06:00.0: 0x01400000 | isr1<br /> ? tcp_sendpage+0x50/0x50<br /> iwlwifi 0000:06:00.0: 0x48F0000A | isr2<br /> ? lock_release+0xb9/0x400<br /> ? tcp_sendmsg+0x14/0x40<br /> iwlwifi 0000:06:00.0: 0x00C3080C | isr3<br /> ? lock_downgrade+0x390/0x390<br /> ? do_raw_spin_lock+0x114/0x1d0<br /> iwlwifi 0000:06:00.0: 0x00200000 | isr4<br /> ? rwlock_bug.part.2+0x50/0x50<br /> iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id<br /> ? rwlock_bug.part.2+0x50/0x50<br /> ? lockdep_hardirqs_on_prepare+0xe/0x200<br /> iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event<br /> ? __local_bh_enable_ip+0x87/0xe0<br /> ? inet_send_prepare+0x220/0x220<br /> iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control<br /> tcp_sendmsg+0x22/0x40<br /> sock_sendmsg+0x5f/0x70<br /> iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration<br /> __sys_sendto+0x19d/0x250<br /> iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid<br /> ? __ia32_sys_getpeername+0x40/0x40<br /> iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? lock_release+0xb9/0x400<br /> ? lock_downgrade+0x390/0x390<br /> ? ktime_get+0x64/0x130<br /> ? ktime_get+0x8d/0x130<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_held_common+0x12/0x50<br /> ? rcu_read_lock_sched_held+0x5a/0xd0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> ? rcu_read_lock_bh_held+0xb0/0xb0<br /> __x64_sys_sendto+0x6f/0x80<br /> do_syscall_64+0x34/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7f1d126e4531<br /> Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89<br /> RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531<br /> RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014<br /> RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R<br /> ---truncated---