CVE-2023-53532

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix deinitialization of firmware resources<br /> <br /> Currently, in ath11k_ahb_fw_resources_init(), iommu domain<br /> mapping is done only for the chipsets having fixed firmware<br /> memory. Also, for such chipsets, mapping is done only if it<br /> does not have TrustZone support.<br /> <br /> During deinitialization, only if TrustZone support is not there,<br /> iommu is unmapped back. However, for non fixed firmware memory<br /> chipsets, TrustZone support is not there and this makes the<br /> condition check to true and it tries to unmap the memory which<br /> was not mapped during initialization.<br /> <br /> This leads to the following trace -<br /> <br /> [ 83.198790] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008<br /> [ 83.259537] Modules linked in: ath11k_ahb ath11k qmi_helpers<br /> .. snip ..<br /> [ 83.280286] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 83.287228] pc : __iommu_unmap+0x30/0x140<br /> [ 83.293907] lr : iommu_unmap+0x5c/0xa4<br /> [ 83.298072] sp : ffff80000b3abad0<br /> .. snip ..<br /> [ 83.369175] Call trace:<br /> [ 83.376282] __iommu_unmap+0x30/0x140<br /> [ 83.378541] iommu_unmap+0x5c/0xa4<br /> [ 83.382360] ath11k_ahb_fw_resource_deinit.part.12+0x2c/0xac [ath11k_ahb]<br /> [ 83.385666] ath11k_ahb_free_resources+0x140/0x17c [ath11k_ahb]<br /> [ 83.392521] ath11k_ahb_shutdown+0x34/0x40 [ath11k_ahb]<br /> [ 83.398248] platform_shutdown+0x20/0x2c<br /> [ 83.403455] device_shutdown+0x16c/0x1c4<br /> [ 83.407621] kernel_restart_prepare+0x34/0x3c<br /> [ 83.411529] kernel_restart+0x14/0x74<br /> [ 83.415781] __do_sys_reboot+0x1c4/0x22c<br /> [ 83.419427] __arm64_sys_reboot+0x1c/0x24<br /> [ 83.423420] invoke_syscall+0x44/0xfc<br /> [ 83.427326] el0_svc_common.constprop.3+0xac/0xe8<br /> [ 83.430974] do_el0_svc+0xa0/0xa8<br /> [ 83.435659] el0_svc+0x1c/0x44<br /> [ 83.438957] el0t_64_sync_handler+0x60/0x144<br /> [ 83.441910] el0t_64_sync+0x15c/0x160<br /> [ 83.446343] Code: aa0103f4 f9400001 f90027a1 d2800001 (f94006a0)<br /> [ 83.449903] ---[ end trace 0000000000000000 ]---<br /> <br /> This can be reproduced by probing an AHB chipset which is not<br /> having a fixed memory region. During reboot (or rmmod) trace<br /> can be seen.<br /> <br /> Fix this issue by adding a condition check on firmware fixed memory<br /> hw_param as done in the counter initialization function.<br /> <br /> Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1