ghsa-4655-978p-cp8q
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: start MHI channel after endpoit creation

MHI channel may generates event/interrupt right after enabling. It may leads to 2 race conditions issues.

1) Such event may be dropped by qcom_mhi_qrtr_dl_callback() at check:

if (!qdev || mhi_res->transaction_status)
    return;

Because dev_set_drvdata(&mhi_dev->dev, qdev) may be not performed at this moment. In this situation qrtr-ns will be unable to enumerate services in device.

2) Such event may come at the moment after dev_set_drvdata() and before qrtr_endpoint_register(). In this case kernel will panic with accessing wrong pointer at qcom_mhi_qrtr_dl_callback():

rc = qrtr_endpoint_post(&qdev->ep, mhi_res->buf_addr,
            mhi_res->bytes_xferd);

Because endpoint is not created yet.

So move mhi_prepare_for_transfer_autoqueue after endpoint creation to fix it.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50044"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: start MHI channel after endpoit creation\n\nMHI channel may generates event/interrupt right after enabling.\nIt may leads to 2 race conditions issues.\n\n1)\nSuch event may be dropped by qcom_mhi_qrtr_dl_callback() at check:\n\n\tif (!qdev || mhi_res-\u003etransaction_status)\n\t\treturn;\n\nBecause dev_set_drvdata(\u0026mhi_dev-\u003edev, qdev) may be not performed at\nthis moment. In this situation qrtr-ns will be unable to enumerate\nservices in device.\n---------------------------------------------------------------\n\n2)\nSuch event may come at the moment after dev_set_drvdata() and\nbefore qrtr_endpoint_register(). In this case kernel will panic with\naccessing wrong pointer at qcom_mhi_qrtr_dl_callback():\n\n\trc = qrtr_endpoint_post(\u0026qdev-\u003eep, mhi_res-\u003ebuf_addr,\n\t\t\t\tmhi_res-\u003ebytes_xferd);\n\nBecause endpoint is not created yet.\n--------------------------------------------------------------\nSo move mhi_prepare_for_transfer_autoqueue after endpoint creation\nto fix it.",
  "id": "GHSA-4655-978p-cp8q",
  "modified": "2025-06-18T12:30:44Z",
  "published": "2025-06-18T12:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50044"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68a838b84effb7b57ba7d50b1863fc6ae35a54ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1a75f78a2937567946b1b756f82462874b5ca20"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c682fb70a7dfc25b848a4ff3a385b0471b470606"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.