CVE-2022-49519

High

Published: 26 February 2025

Published

26 February 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 22.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: ath10k: skip ath10k_halt during suspend for driver state RESTARTING Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash. To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING. The frozen restart worker thread will be cancelled during resume when the device comes out of suspend. Below is the crash stack for reference: [ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1

Security Summary

CVE-2022-49519 is a double free vulnerability in the ath10k Wi-Fi driver within the Linux kernel. The issue arises when firmware recovery, triggered by a WMI timeout or crash via ath10k_core_restart(), is immediately followed by a suspend event. This sequence causes ath10k_halt() to be invoked twice: once during recovery cleanup and again in ath10k_stop() during suspend. The restart worker thread freezes during suspend, preventing ath10k_htt_rx_alloc() from executing, which leads to ath10k_htt_rx_free() being called on unallocated memory, resulting in a kernel crash. The vulnerability is classified under CWE-415 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering firmware recovery on an ath10k-supported device, such as those using QCA6174 hardware, followed by initiating a system suspend. This requires physical or local access but low complexity and no user interaction. Successful exploitation causes a kernel panic due to the double free, as evidenced by the provided crash stack originating from kfree() in ath10k_core_stop() during suspend. While primarily manifesting as a denial of service via system crash, the double free nature could potentially enable further impact like memory corruption or code execution, aligning with the high confidentiality, integrity, and availability impacts in the CVSS score.

Kernel stable patches address the issue across multiple commits, including those at https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5 and others listed in references. The fixes skip ath10k_halt() during suspend when the driver state is ATH10K_STATE_RESTARTING and add ath10k_wait_for_suspend() calls in ath10k_stop() for that state. The frozen restart worker is canceled on resume. Security practitioners should apply these upstream patches to affected Linux kernel versions supporting ath10k hardware and test suspend/resume flows post-update, particularly on devices like QCA6174 hw3.2.

Details

CWE(s): CWE-415

Affected Products

linux

linux kernel

3.11 — 5.10.121 · 5.11 — 5.15.46 · 5.16 — 5.17.14

References

https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7eb14cb604f49e58b7cf6faa87961a865a3c8649
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8aa3750986ffcf73e0692db3b40dd3a8e8c0c575
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b72a4aff947ba807177bdabb43debaf2c66bee05
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c2272428090d0d215a3f017cbbbad731c07eee53
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67