CVE-2022-50248

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix double free on tx path.

We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb.

If iwlmvmtxskbsta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. So, return 0 in that particular error case and do cleanup manually.

BUG: KASAN: use-after-free in _listdelentryvalid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000000 | tsf hi Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650

CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5 iwlwifi 0000:06:00.0: 0x00000000 | time gp1 Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019 Call Trace: <TASK> dumpstacklvl+0x55/0x6d print_report.cold.12+0xf2/0x684 iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2 ? __listdelentryvalid+0x12/0x90 kasanreport+0x8b/0x180 iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type ? __listdelentry_valid+0x12/0x90 __listdelentry_valid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000048 | uCode version major tcpupdateskbaftersend+0x5d/0x170 __tcptransmitskb+0xb61/0x15c0 iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor ? __tcpselectwindow+0x490/0x490 iwlwifi 0000:06:00.0: 0x00000420 | hw version ? tracekmallocnode+0x29/0xd0 ? __kmallocnodetrack_caller+0x12a/0x260 ? memset+0x1f/0x40 ? __buildskbaround+0x125/0x150 ? __allocskb+0x1d4/0x220 ? skbzerocopyclone+0x55/0x230 iwlwifi 0000:06:00.0: 0x00489002 | board version ? kmallocreserve+0x80/0x80 ? rcureadlockbhheld+0x60/0xb0 tcpwritexmit+0x3f1/0x24d0 iwlwifi 0000:06:00.0: 0x034E001C | hcmd ? __checkobjectsize+0x180/0x350 iwlwifi 0000:06:00.0: 0x24020000 | isr0 tcp_sendmsglocked+0x8a9/0x1520 iwlwifi 0000:06:00.0: 0x01400000 | isr1 ? tcpsendpage+0x50/0x50 iwlwifi 0000:06:00.0: 0x48F0000A | isr2 ? lockrelease+0xb9/0x400 ? tcpsendmsg+0x14/0x40 iwlwifi 0000:06:00.0: 0x00C3080C | isr3 ? lockdowngrade+0x390/0x390 ? dorawspinlock+0x114/0x1d0 iwlwifi 0000:06:00.0: 0x00200000 | isr4 ? rwlockbug.part.2+0x50/0x50 iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id ? rwlockbug.part.2+0x50/0x50 ? lockdephardirqsonprepare+0xe/0x200 iwlwifi 0000:06:00.0: 0x0000C2F0 | waitevent ? __localbhenable_ip+0x87/0xe0 ? inetsendprepare+0x220/0x220 iwlwifi 0000:06:00.0: 0x000000C4 | l2pcontrol tcpsendmsg+0x22/0x40 socksendmsg+0x5f/0x70 iwlwifi 0000:06:00.0: 0x00010034 | l2pduration __syssendto+0x19d/0x250 iwlwifi 0000:06:00.0: 0x00000007 | l2pmhvalid ? __ia32sysgetpeername+0x40/0x40 iwlwifi 0000:06:00.0: 0x00000000 | l2paddrmatch ? rcureadlockheldcommon+0x12/0x50 ? rcureadlockschedheld+0x5a/0xd0 ? rcureadlockbhheld+0xb0/0xb0 ? rcureadlockschedheld+0x5a/0xd0 ? rcureadlockschedheld+0x5a/0xd0 ? lockrelease+0xb9/0x400 ? lockdowngrade+0x390/0x390 ? ktimeget+0x64/0x130 ? ktimeget+0x8d/0x130 ? rcureadlockheldcommon+0x12/0x50 ? rcureadlockschedheld+0x5a/0xd0 ? rcureadlockheldcommon+0x12/0x50 ? rcureadlockschedheld+0x5a/0xd0 ? rcureadlockbhheld+0xb0/0xb0 ? rcureadlockbhheld+0xb0/0xb0 _x64syssendto+0x6f/0x80 dosyscall64+0x34/0xb0 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7f1d126e4531 Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89 RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIGRAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531 RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014 RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R ---truncated---