ghsa-qx85-gr6x-6vqf
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

ath11k: fix netdev open race

Make sure to allocate resources needed before registering the device.

This specifically avoids having a racing open() trigger a BUG_ON() in mod_timer() when ath11k_mac_op_start() is called before the mon_reap_timer as been set up.

I did not see this issue with next-20220310, but I hit it on every probe with next-20220511. Perhaps some timing changed in between.

Here's the backtrace:

[ 51.346947] kernel BUG at kernel/time/timer.c:990! [ 51.346958] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ... [ 51.578225] Call trace: [ 51.583293] __mod_timer+0x298/0x390 [ 51.589518] mod_timer+0x14/0x20 [ 51.595368] ath11k_mac_op_start+0x41c/0x4a0 [ath11k] [ 51.603165] drv_start+0x38/0x60 [mac80211] [ 51.610110] ieee80211_do_open+0x29c/0x7d0 [mac80211] [ 51.617945] ieee80211_open+0x60/0xb0 [mac80211] [ 51.625311] __dev_open+0x100/0x1c0 [ 51.631420] __dev_change_flags+0x194/0x210 [ 51.638214] dev_change_flags+0x24/0x70 [ 51.644646] do_setlink+0x228/0xdb0 [ 51.650723] __rtnl_newlink+0x460/0x830 [ 51.657162] rtnl_newlink+0x4c/0x80 [ 51.663229] rtnetlink_rcv_msg+0x124/0x390 [ 51.669917] netlink_rcv_skb+0x58/0x130 [ 51.676314] rtnetlink_rcv+0x18/0x30 [ 51.682460] netlink_unicast+0x250/0x310 [ 51.688960] netlink_sendmsg+0x19c/0x3e0 [ 51.695458] _syssendmsg+0x220/0x290 [ 51.701938] _sys_sendmsg+0x7c/0xc0 [ 51.708148] __sys_sendmsg+0x68/0xd0 [ 51.714254] __arm64_sys_sendmsg+0x28/0x40 [ 51.720900] invoke_syscall+0x48/0x120

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50187"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:49Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix netdev open race\n\nMake sure to allocate resources needed before registering the device.\n\nThis specifically avoids having a racing open() trigger a BUG_ON() in\nmod_timer() when ath11k_mac_op_start() is called before the\nmon_reap_timer as been set up.\n\nI did not see this issue with next-20220310, but I hit it on every probe\nwith next-20220511. Perhaps some timing changed in between.\n\nHere\u0027s the backtrace:\n\n[   51.346947] kernel BUG at kernel/time/timer.c:990!\n[   51.346958] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n...\n[   51.578225] Call trace:\n[   51.583293]  __mod_timer+0x298/0x390\n[   51.589518]  mod_timer+0x14/0x20\n[   51.595368]  ath11k_mac_op_start+0x41c/0x4a0 [ath11k]\n[   51.603165]  drv_start+0x38/0x60 [mac80211]\n[   51.610110]  ieee80211_do_open+0x29c/0x7d0 [mac80211]\n[   51.617945]  ieee80211_open+0x60/0xb0 [mac80211]\n[   51.625311]  __dev_open+0x100/0x1c0\n[   51.631420]  __dev_change_flags+0x194/0x210\n[   51.638214]  dev_change_flags+0x24/0x70\n[   51.644646]  do_setlink+0x228/0xdb0\n[   51.650723]  __rtnl_newlink+0x460/0x830\n[   51.657162]  rtnl_newlink+0x4c/0x80\n[   51.663229]  rtnetlink_rcv_msg+0x124/0x390\n[   51.669917]  netlink_rcv_skb+0x58/0x130\n[   51.676314]  rtnetlink_rcv+0x18/0x30\n[   51.682460]  netlink_unicast+0x250/0x310\n[   51.688960]  netlink_sendmsg+0x19c/0x3e0\n[   51.695458]  ____sys_sendmsg+0x220/0x290\n[   51.701938]  ___sys_sendmsg+0x7c/0xc0\n[   51.708148]  __sys_sendmsg+0x68/0xd0\n[   51.714254]  __arm64_sys_sendmsg+0x28/0x40\n[   51.720900]  invoke_syscall+0x48/0x120\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3",
  "id": "GHSA-qx85-gr6x-6vqf",
  "modified": "2025-06-18T12:30:54Z",
  "published": "2025-06-18T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50187"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/307ce58270b3b50ca21cfcc910568429b06803f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2c45f8c3d18269e641f0c7da2dde47ef8414034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abb7dc8fbb27c15dcc927df56190f3c5ede58bd5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4ba1ff87b17e81686ada8f429300876f55f95ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eaff3946a86fc63280a30158a4ae1e141449817c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.