CVE-2022-48705 in Linux
Summary
by MITRE • 05/03/2024
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix crash in chip reset fail
In case of drv own fail in reset, we may need to run mac_reset several times. The sequence would trigger system crash as the log below.
Because we do not re-enable/schedule "tx_napi" before disable it again, the process would keep waiting for state change in napi_diable(). To avoid the problem and keep status synchronize for each run, goto final resource handling if drv own failed.
[ 5857.353423] mt7921e 0000:3b:00.0: driver own failed
[ 5858.433427] mt7921e 0000:3b:00.0: Timeout for driver own
[ 5859.633430] mt7921e 0000:3b:00.0: driver own failed
[ 5859.633444] ------------[ cut here ]------------
[ 5859.633446] WARNING: CPU: 6 at kernel/kthread.c:659 kthread_park+0x11d
[ 5859.633717] Workqueue: mt76 mt7921_mac_reset_work [mt7921_common]
[ 5859.633728] RIP: 0010:kthread_park+0x11d/0x150
[ 5859.633736] RSP: 0018:ffff8881b676fc68 EFLAGS: 00010202
...... [ 5859.633766] Call Trace:
[ 5859.633768]
[ 5859.633771] mt7921e_mac_reset+0x176/0x6f0 [mt7921e]
[ 5859.633778] mt7921_mac_reset_work+0x184/0x3a0 [mt7921_common]
[ 5859.633785] ? mt7921_mac_set_timing+0x520/0x520 [mt7921_common]
[ 5859.633794] ? __kasan_check_read+0x11/0x20
[ 5859.633802] process_one_work+0x7ee/0x1320
[ 5859.633810] worker_thread+0x53c/0x1240
[ 5859.633818] kthread+0x2b8/0x370
[ 5859.633824] ? process_one_work+0x1320/0x1320
[ 5859.633828] ? kthread_complete_and_exit+0x30/0x30
[ 5859.633834] ret_from_fork+0x1f/0x30
[ 5859.633842]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability identified as CVE-2022-48705 affects the Linux kernel's mt76 wireless driver module, specifically targeting the mt7921e chip implementation. This flaw manifests as a system crash occurring during the chip reset process when driver ownership fails. The issue stems from improper resource management within the wireless driver's reset mechanism, creating a deadlock condition that ultimately leads to kernel panic. The vulnerability impacts wireless connectivity and system stability, particularly in devices utilizing MediaTek mt7921e wireless chips.
The technical root cause involves a race condition and improper state management during the mac_reset operation sequence. When driver ownership fails during reset operations, the system attempts to execute multiple reset iterations but fails to properly re-enable or schedule the tx_napi component before disabling it again. This creates a circular dependency where the system waits indefinitely for a state change in napi_disable(), causing the kernel to hang and eventually crash. The problem occurs in the kernel workqueue context where the mt7921_mac_reset_work function executes, specifically in the mt7921e_mac_reset function which lacks proper error handling for the driver ownership failure scenario.
The operational impact of this vulnerability extends beyond simple connectivity disruption to potential system instability and denial of service conditions. Systems utilizing affected MediaTek wireless chips may experience complete system crashes, particularly during high network load or when reset operations are triggered due to driver errors. The vulnerability affects all Linux kernel versions that include the mt76 driver module with mt7921e support, making it a significant concern for enterprise and consumer devices relying on wireless connectivity. The crash pattern indicates that the system becomes unresponsive rather than simply failing to establish wireless connections, representing a more severe operational impact.
Mitigation strategies for this vulnerability require kernel updates that implement proper error handling for driver ownership failures during reset operations. The fix involves modifying the reset sequence to include proper goto statements to final resource handling when driver ownership fails, ensuring that all resources are properly cleaned up and system state is maintained consistently across reset attempts. Organizations should prioritize applying kernel patches that address this specific race condition and resource management issue. Additionally, monitoring systems should be configured to detect and alert on wireless driver reset failures, as these may indicate potential exposure to the vulnerability before a full system crash occurs. The fix aligns with CWE-691, which addresses insufficient control flow management, and addresses ATT&CK technique T1490, specifically system network denial of service, by preventing the system crash that would otherwise occur during wireless reset operations.