CVE-2022-49130

In the Linux kernel, the following vulnerability has been resolved:

ath11k: mhi: use mhisyncpower_up()

If amss.bin was missing ath11k would crash during 'rmmod ath11kpci'. The reason for that was that we were using mhiasyncpowerup() which does not check any errors. But mhisyncpower_up() on the other hand does check for errors so let's use that to fix the crash.

I was not able to find a reason why an async version was used. ath11kmhistart() (which enables state ATH11KMHIPOWERON) is called from ath11khifpowerup(), which can sleep. So sync version should be safe to use here.

[ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUGPAGEALLOC KASAN PTI [ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567 [ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 145.569956] RIP: 0010:ath11khalsrngaccessbegin+0xb5/0x2b0 [ath11k] [ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08 [ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246 [ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455 [ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80 [ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497 [ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000 [ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8 [ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000 [ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0 [ 145.570623] Call Trace: [ 145.570675] <TASK> [ 145.570727] ? ath11kcetxprocesscb+0x34b/0x860 [ath11k] [ 145.570797] ath11kcetxprocesscb+0x356/0x860 [ath11k] [ 145.570864] ? taskletinit+0x150/0x150 [ 145.570919] ? ath11kceallocpipes+0x280/0x280 [ath11k] [ 145.570986] ? taskletclearsched+0x42/0xe0 [ 145.571042] ? taskletkill+0xe9/0x1b0 [ 145.571095] ? taskletclearsched+0xe0/0xe0 [ 145.571148] ? irqhasaction+0x120/0x120 [ 145.571202] ath11kcecleanuppipes+0x45a/0x580 [ath11k] [ 145.571270] ? ath11kpcistop+0x10e/0x170 [ath11kpci] [ 145.571345] ath11kcorestop+0x8a/0xc0 [ath11k] [ 145.571434] ath11kcoredeinit+0x9e/0x150 [ath11k] [ 145.571499] ath11kpciremove+0xd2/0x260 [ath11kpci] [ 145.571553] pcideviceremove+0x9a/0x1c0 [ 145.571605] _devicereleasedriver+0x332/0x660 [ 145.571659] driverdetach+0x1e7/0x2c0 [ 145.571712] busremovedriver+0xe2/0x2d0 [ 145.571772] pciunregisterdriver+0x21/0x250 [ 145.571826] _dosysdeletemodule+0x30a/0x4b0 [ 145.571879] ? freemodule+0xac0/0xac0 [ 145.571933] ? lockdephardirqsonprepare.part.0+0x18c/0x370 [ 145.571986] ? syscallenterfromusermode+0x1d/0x50 [ 145.572039] ? lockdephardirqson+0x79/0x100 [ 145.572097] dosyscall64+0x3b/0x90 [ 145.572153] entrySYSCALL64after_hwframe+0x44/0xae

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPLV1V2SILICONZLITE-2