From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E10628D8DE for ; Wed, 18 Jun 2025 11:12:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750245171; cv=none; b=djK12XvUkW/2D/jjnemfX0N8NdLotCAt/GvlaQkIU1emvNLjYJEcXiR3FauapWLO7XNF11/wyC8ts9zcG38Y/O2ct0KkvXYpDHKVNxv3kKURyfr1DlalOyDBPdAFmDond69Ts80jHq+Z4gbimdxn4mLRlOaC7C866hd8N9A3Mv0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750245171; c=relaxed/simple; bh=DY06nYb/91HMwgJDO1s375TejXPbBmQp8DX/c+Tu8Nk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gGdiCBxntcscq6d3d+kUlMEw2gt+6KvjNHlWSqt7zUcOGTOe2VvLgVSKkTeK30EKlbEnafZRX1GiHShW8HTrRQ+ILO0F1x4b12hIMg12xxpSl0+A+MI/qRdrEvNmE+t2knOw84ACT7g4d8afxmPWaBEZhZNrBkymh1Qtr8Q1lv4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=WJRWDUBR; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="WJRWDUBR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE8DDC4CEE7; Wed, 18 Jun 2025 11:12:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1750245171; bh=DY06nYb/91HMwgJDO1s375TejXPbBmQp8DX/c+Tu8Nk=; h=From:To:Cc:Subject:Date:Reply-to:From; b=WJRWDUBR4Ep3TH4rfqH4Q1AWUCZanpaKNF/fx5EFZfRxLU9hJSiRrRGL4MXsivhUu CZGQhdjOap2H86yNz/3/GV388foDWOYQjeD+HwV4f/bo2QDyQi6dAeda6F5zyQ6JSI kvk7wTXmnD4JaRWHbjpviN009bs2mKTYHzqzYxS4= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2022-50150: mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv Date: Wed, 18 Jun 2025 13:03:35 +0200 Message-ID: <2025061821-CVE-2022-50150-e69a@gregkh> X-Mailer: git-send-email 2.49.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=5719; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=cPNjHzoVvzscnzsBREuXChADktBLY4kljXblNiAYy9k=; b=owGbwMvMwCRo6H6F97bub03G02pJDBlBc5o+n70YfqPi7g/pt0lafFH68lIa9g6eyovKGZJuu 312TDLtiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgImcO8IwV6DG1om5teDyleai yYkfT204ZHQjjWG+04m9xz90Oq88cniFWf19+z+uEqZvAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv There are sleep in atomic context bugs when uploading device dump data in mwifiex. The root cause is that dev_coredumpv could not be used in atomic contexts, because it calls dev_set_name which include operations that may sleep. The call tree shows execution paths that could lead to bugs: (Interrupt context) fw_dump_timer_fn mwifiex_upload_device_dump dev_coredumpv(..., GFP_KERNEL) dev_coredumpm() kzalloc(sizeof(*devcd), gfp); //may sleep dev_set_name kobject_set_name_vargs kvasprintf_const(GFP_KERNEL, ...); //may sleep kstrdup(s, GFP_KERNEL); //may sleep The corresponding fail log is shown below: [ 135.275938] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start [ 135.281029] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265 ... [ 135.293613] Call Trace: [ 135.293613] [ 135.293613] dump_stack_lvl+0x57/0x7d [ 135.293613] __might_resched.cold+0x138/0x173 [ 135.293613] ? dev_coredumpm+0xca/0x2e0 [ 135.293613] kmem_cache_alloc_trace+0x189/0x1f0 [ 135.293613] ? devcd_match_failing+0x30/0x30 [ 135.293613] dev_coredumpm+0xca/0x2e0 [ 135.293613] ? devcd_freev+0x10/0x10 [ 135.293613] dev_coredumpv+0x1c/0x20 [ 135.293613] ? devcd_match_failing+0x30/0x30 [ 135.293613] mwifiex_upload_device_dump+0x65/0xb0 [ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 [ 135.293613] call_timer_fn+0x122/0x3d0 [ 135.293613] ? msleep_interruptible+0xb0/0xb0 [ 135.293613] ? lock_downgrade+0x3c0/0x3c0 [ 135.293613] ? __next_timer_interrupt+0x13c/0x160 [ 135.293613] ? lockdep_hardirqs_on_prepare+0xe/0x220 [ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 [ 135.293613] __run_timers.part.0+0x3f8/0x540 [ 135.293613] ? call_timer_fn+0x3d0/0x3d0 [ 135.293613] ? arch_restore_msi_irqs+0x10/0x10 [ 135.293613] ? lapic_next_event+0x31/0x40 [ 135.293613] run_timer_softirq+0x4f/0xb0 [ 135.293613] __do_softirq+0x1c2/0x651 ... [ 135.293613] RIP: 0010:default_idle+0xb/0x10 [ 135.293613] RSP: 0018:ffff888006317e68 EFLAGS: 00000246 [ 135.293613] RAX: ffffffff82ad8d10 RBX: ffff888006301cc0 RCX: ffffffff82ac90e1 [ 135.293613] RDX: ffffed100d9ff1b4 RSI: ffffffff831ad140 RDI: ffffffff82ad8f20 [ 135.293613] RBP: 0000000000000003 R08: 0000000000000000 R09: ffff88806cff8d9b [ 135.293613] R10: ffffed100d9ff1b3 R11: 0000000000000001 R12: ffffffff84593410 [ 135.293613] R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11000c62fd2 ... [ 135.389205] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end This patch uses delayed work to replace timer and moves the operations that may sleep into a delayed work in order to mitigate bugs, it was tested on Marvell 88W8801 chip whose port is usb and the firmware is usb8801_uapsta.bin. The following is the result after using delayed work to replace timer. [ 134.936453] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start [ 135.043344] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end As we can see, there is no bug now. The Linux kernel CVE team has assigned CVE-2022-50150 to this issue. Affected and fixed versions =========================== Issue introduced in 4.16 with commit f5ecd02a8b20f900701d6809a3ea5f12e5c87de8 and fixed in 5.10.137 with commit 956b79c2066551845d7124b01c5845d02ccf47a1 Issue introduced in 4.16 with commit f5ecd02a8b20f900701d6809a3ea5f12e5c87de8 and fixed in 5.15.61 with commit a78b882c1a9feda10821a25201a0464674f8209e Issue introduced in 4.16 with commit f5ecd02a8b20f900701d6809a3ea5f12e5c87de8 and fixed in 5.18.18 with commit 938139aef61bff52a154c68553fbaabd6924737f Issue introduced in 4.16 with commit f5ecd02a8b20f900701d6809a3ea5f12e5c87de8 and fixed in 5.19.2 with commit c8e8b8b9f23a0c68855ecfc756b96be6c9946ec1 Issue introduced in 4.16 with commit f5ecd02a8b20f900701d6809a3ea5f12e5c87de8 and fixed in 6.0 with commit a52ed4866d2b90dd5e4ae9dabd453f3ed8fa3cbc Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50150 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/marvell/mwifiex/init.c drivers/net/wireless/marvell/mwifiex/main.h drivers/net/wireless/marvell/mwifiex/sta_event.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/956b79c2066551845d7124b01c5845d02ccf47a1 https://git.kernel.org/stable/c/a78b882c1a9feda10821a25201a0464674f8209e https://git.kernel.org/stable/c/938139aef61bff52a154c68553fbaabd6924737f https://git.kernel.org/stable/c/c8e8b8b9f23a0c68855ecfc756b96be6c9946ec1 https://git.kernel.org/stable/c/a52ed4866d2b90dd5e4ae9dabd453f3ed8fa3cbc