CVE-2022-50627

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix monitor mode bringup crash<br /> <br /> When the interface is brought up in monitor mode, it leads<br /> to NULL pointer dereference crash. This crash happens when<br /> the packet type is extracted for a SKB. This extraction<br /> which is present in the received msdu delivery path,is<br /> not needed for the monitor ring packets since they are<br /> all RAW packets. Hence appending the flags with<br /> "RX_FLAG_ONLY_MONITOR" to skip that extraction.<br /> <br /> Observed calltrace:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> 0000000000000064<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048517000<br /> [0000000000000064] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> Modules linked in: ath11k_pci ath11k qmi_helpers<br /> CPU: 2 PID: 1781 Comm: napi/-271 Not tainted<br /> 6.1.0-rc5-wt-ath-656295-gef907406320c-dirty #6<br /> Hardware name: Qualcomm Technologies, Inc. IPQ8074/AP-HK10-C2 (DT)<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]<br /> lr : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x5c/0x60 [ath11k]<br /> sp : ffff80000ef5bb10<br /> x29: ffff80000ef5bb10 x28: 0000000000000000 x27: ffff000007baafa0<br /> x26: ffff000014a91ed0 x25: 0000000000000000 x24: 0000000000000000<br /> x23: ffff800002b77378 x22: ffff000014a91ec0 x21: ffff000006c8d600<br /> x20: 0000000000000000 x19: ffff800002b77740 x18: 0000000000000006<br /> x17: 736564203634343a x16: 656e694c20657079 x15: 0000000000000143<br /> x14: 00000000ffffffea x13: ffff80000ef5b8b8 x12: ffff80000ef5b8c8<br /> x11: ffff80000a591d30 x10: ffff80000a579d40 x9 : c0000000ffffefff<br /> x8 : 0000000000000003 x7 : 0000000000017fe8 x6 : ffff80000a579ce8<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 3a35ec12ed7f8900 x1 : 0000000000000000 x0 : 0000000000000052<br /> Call trace:<br /> ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]<br /> ath11k_dp_rx_deliver_msdu.isra.42+0xa4/0x3d0 [ath11k]<br /> ath11k_dp_rx_mon_deliver.isra.43+0x2f8/0x458 [ath11k]<br /> ath11k_dp_rx_process_mon_rings+0x310/0x4c0 [ath11k]<br /> ath11k_dp_service_srng+0x234/0x338 [ath11k]<br /> ath11k_pcic_ext_grp_napi_poll+0x30/0xb8 [ath11k]<br /> __napi_poll+0x5c/0x190<br /> napi_threaded_poll+0xf0/0x118<br /> kthread+0xf4/0x110<br /> ret_from_fork+0x10/0x20<br /> <br /> Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1