CVE-2022-49519 in Linuxinfo

Summary

by MITRE • 02/26/2025

In the Linux kernel, the following vulnerability has been resolved:

ath10k: skip ath10k_halt during suspend for driver state RESTARTING

Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash.

To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state
ATH10K_STATE_RESTARTING.

The frozen restart worker thread will be cancelled during resume when the device comes out of suspend.

Below is the crash stack for reference:

[ 428.469167] ------------[ cut here ]------------
[ 428.469180] kernel BUG at mm/slub.c:4150!
[ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 428.469219] Workqueue: events_unbound async_run_entry_fn
[ 428.469230] RIP: 0010:kfree+0x319/0x31b
[ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246
[ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000
[ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000
[ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000
[ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 428.469285] Call Trace:
[ 428.469295] ? dma_free_attrs+0x5f/0x7d
[ 428.469320] ath10k_core_stop+0x5b/0x6f
[ 428.469336] ath10k_halt+0x126/0x177
[ 428.469352] ath10k_stop+0x41/0x7e
[ 428.469387] drv_stop+0x88/0x10e
[ 428.469410] __ieee80211_suspend+0x297/0x411
[ 428.469441] rdev_suspend+0x6e/0xd0
[ 428.469462] wiphy_suspend+0xb1/0x105
[ 428.469483] ? name_show+0x2d/0x2d
[ 428.469490] dpm_run_callback+0x8c/0x126
[ 428.469511] ? name_show+0x2d/0x2d
[ 428.469517] __device_suspend+0x2e7/0x41b
[ 428.469523] async_suspend+0x1f/0x93
[ 428.469529] async_run_entry_fn+0x3d/0xd1
[ 428.469535] process_one_work+0x1b1/0x329
[ 428.469541] worker_thread+0x213/0x372
[ 428.469547] kthread+0x150/0x15f
[ 428.469552] ? pr_cont_work+0x58/0x58
[ 428.469558] ? kthread_blkcg+0x31/0x31

Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/21/2025

The vulnerability described in CVE-2022-49519 represents a critical double free condition within the ath10k wireless driver implementation of the Linux kernel. This issue specifically affects Qualcomm Atheros wireless network adapters that utilize the ath10k driver, creating a scenario where system instability and potential denial of service can occur during concurrent firmware recovery and system suspend operations. The flaw manifests when a firmware timeout or crash triggers the driver's restart mechanism, followed immediately by a suspend event, leading to an improper sequence of cleanup operations.

The technical root cause of this vulnerability lies in the improper handling of driver state transitions during concurrent firmware recovery and suspend operations. When firmware recovery is initiated through ath10k_core_restart(), the driver executes cleanup operations via ath10k_halt(), which frees memory structures including those managed by ath10k_htt_rx_free(). However, when a suspend event occurs while the restart worker thread is frozen, the ath10k_stop() function is invoked, which again calls ath10k_halt() without proper state checking. This results in the same memory structures being freed twice, causing a kernel panic and invalid opcode execution as evidenced by the crash stack showing execution in mm/slub.c and kfree() function.

This vulnerability directly maps to CWE-415: Double Free, which is a well-established class of memory safety issues where the same memory location is freed twice, leading to undefined behavior and potential exploitation. The issue also aligns with ATT&CK technique T1499.001: Endpoint Denial of Service, as it can cause system instability and denial of service through kernel crashes. The specific operational impact involves system crashes during normal wireless operations when firmware recovery and suspend events occur in rapid succession, particularly affecting embedded systems and mobile devices that rely on wireless connectivity.

The fix implemented in the Linux kernel addresses this by modifying the suspend flow logic to check the driver state before invoking ath10k_halt(). Specifically, when the driver state is ATH10K_STATE_RESTARTING, the ath10k_stop() function now skips calling ath10k_halt() directly and instead calls ath10k_wait_for_suspend() to properly handle the synchronization. This prevents the double invocation of cleanup operations while maintaining proper driver state management. The restart worker thread is designed to be cancelled during the resume phase, ensuring proper cleanup and preventing further memory corruption issues. The solution maintains the integrity of the driver's state machine while preventing the race condition that leads to the double free scenario, thereby protecting against the kernel panic and system instability that would otherwise occur.

Responsible

Linux

Reservation

02/26/2025

Disclosure

02/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00260

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!