CVE-2022-50164

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue<br /> <br /> After successfull station association, if station queues are disabled for<br /> some reason, the related lists are not emptied. So if some new element is<br /> added to the list in iwl_mvm_mac_wake_tx_queue, it can match with the old<br /> one and produce a BUG like this:<br /> <br /> [ 46.535263] list_add corruption. prev-&gt;next should be next (ffff94c1c318a360), but was 0000000000000000. (prev=ffff94c1d02d3388).<br /> [ 46.535283] ------------[ cut here ]------------<br /> [ 46.535284] kernel BUG at lib/list_debug.c:26!<br /> [ 46.535290] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [ 46.585304] CPU: 0 PID: 623 Comm: wpa_supplicant Not tainted 5.19.0-rc3+ #1<br /> [ 46.592380] Hardware name: Dell Inc. Inspiron 660s/0478VN , BIOS A07 08/24/2012<br /> [ 46.600336] RIP: 0010:__list_add_valid.cold+0x3d/0x3f<br /> [ 46.605475] Code: f2 4c 89 c1 48 89 fe 48 c7 c7 c8 40 67 93 e8 20 cc fd ff 0f 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 70 40 67 93 e8 09 cc fd ff 0b 48 89 fe 48 c7 c7 00 41 67 93 e8 f8 cb fd ff 0f 0b 48 89 d1<br /> [ 46.624469] RSP: 0018:ffffb20800ab76d8 EFLAGS: 00010286<br /> [ 46.629854] RAX: 0000000000000075 RBX: ffff94c1c318a0e0 RCX: 0000000000000000<br /> [ 46.637105] RDX: 0000000000000201 RSI: ffffffff9365e100 RDI: 00000000ffffffff<br /> [ 46.644356] RBP: ffff94c1c5f43370 R08: 0000000000000075 R09: 3064316334396666<br /> [ 46.651607] R10: 3364323064316334 R11: 39666666663d7665 R12: ffff94c1c5f43388<br /> [ 46.658857] R13: ffff94c1d02d3388 R14: ffff94c1c318a360 R15: ffff94c1cf2289c0<br /> [ 46.666108] FS: 00007f65634ff7c0(0000) GS:ffff94c1da200000(0000) knlGS:0000000000000000<br /> [ 46.674331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 46.680170] CR2: 00007f7dfe984460 CR3: 000000010e894003 CR4: 00000000000606f0<br /> [ 46.687422] Call Trace:<br /> [ 46.689906] <br /> [ 46.691950] iwl_mvm_mac_wake_tx_queue+0xec/0x15c [iwlmvm]<br /> [ 46.697601] ieee80211_queue_skb+0x4b3/0x720 [mac80211]<br /> [ 46.702973] ? sta_info_get+0x46/0x60 [mac80211]<br /> [ 46.707703] ieee80211_tx+0xad/0x110 [mac80211]<br /> [ 46.712355] __ieee80211_tx_skb_tid_band+0x71/0x90 [mac80211]<br /> ...<br /> <br /> In order to avoid this problem, we must also remove the related lists when<br /> station queues are disabled.