CVE-2022-49543

In the Linux kernel, the following vulnerability has been resolved:

ath11k: fix the warning of devwake in mhipmdisabletransition()

When test device recovery with below command, it has warning in message as below. echo assert > /sys/kernel/debug/ath11k/wcn6855\ hw2.0/simulatefwcrash echo assert > /sys/kernel/debug/ath11k/qca6390\ hw2.0/simulatefwcrash

warning message: [ 1965.642121] ath11kpci 0000:06:00.0: simulating firmware assert crash [ 1968.471364] ieee80211 phy0: Hardware restart was requested [ 1968.511305] ------------[ cut here ]------------ [ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhipmdisabletransition+0xb37/0xda0 [mhi] [ 1968.511443] Modules linked in: ath11kpci ath11k mac80211 libarc4 cfg80211 qmihelpers qrtrmhi mhi qrtr nvme nvmecore [ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579 [ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 1968.511704] Workqueue: mhihipriowq mhipmstworker [mhi] [ 1968.511787] RIP: 0010:mhipmdisabletransition+0xb37/0xda0 [mhi] [ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff <0f> 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89 [ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286 [ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922 [ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24 [ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27 [ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac [ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24 [ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000 [ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0 [ 1968.512587] Call Trace: [ 1968.512672] <TASK> [ 1968.512751] ? rawspinunlockirq+0x1f/0x40 [ 1968.512859] mhipmstworker+0x3ac/0x790 [mhi] [ 1968.512959] ? mhipmmissionmodetransition.isra.0+0x7d0/0x7d0 [mhi] [ 1968.513063] processonework+0x86a/0x1400 [ 1968.513184] ? pwqdecnrinflight+0x230/0x230 [ 1968.513312] ? movelinkedworks+0x125/0x290 [ 1968.513416] workerthread+0x6db/0xf60 [ 1968.513536] ? processonework+0x1400/0x1400 [ 1968.513627] kthread+0x241/0x2d0 [ 1968.513733] ? kthreadcompleteandexit+0x20/0x20 [ 1968.513821] retfrom_fork+0x22/0x30 [ 1968.513924] </TASK>

Reason is mhideassertdevwake() from mhideviceput() is called but mhiassertdevwake() from _mhidevicegetsync() is not called in progress of recovery. Commit 8e0559921f9a ("bus: mhi: core: Skip device wake in error or shutdown state") add check for the pmstate of mhi in _mhidevicegetsync(), and the pmstate is not the normal state untill recovery is completed, so it leads the devwake is not 0 and above warning print in mhipmdisabletransition() while checking mhicntrl->devwake.

Add check in ath11kpciwrite32()/ath11kpciread32() to skip call mhideviceput() if mhideviceget_sync() does not really do wake, then the warning gone.

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPLV1V2SILICONZLITE-2