CVE-2022-50665

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected

It has a fail log which is ath11kdbg in ath11kdprxprocessmonstatus(), as below, it will not print when debugmask is not set ATH11KDBGDATA. ath11kdbg(ab, ATH11KDBGDATA, "failed to find the peer with peerid %d\n", ppduinfo.peer_id);

When run scan with station disconnected, the peerid is 0 for case HALRXMPDUSTART in ath11khalrxparsemonstatustlv() which called from ath11kdprxprocessmonstatus(), and the peerid of ppduinfo is reset to 0 in the while loop, so it does not match condition of the check "if (ppduinfo->peerid == HALINVALIDPEERID" in the loop, and then the log "failed to find the peer with peerid 0" print after the check in the loop, it is below call stack when debugmask is set ATH11KDBG_DATA.

The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv") add "memset(ppduinfo, 0, sizeof(struct halrxmonppduinfo))" in ath11kdprxprocessmonstatus(), but the commit does not initialize the peerid to HALINVALID_PEERID, then lead the check mis-match.

Callstack of the failed log: [12335.689072] RIP: 0010:ath11kdprxprocessmonstatus+0x9ea/0x1020 [ath11k] [12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd [12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246 [12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000 [12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18 [12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000 [12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40 [12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000 [12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000 [12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0 [12335.689360] Call Trace: [12335.689377] <IRQ> [12335.689418] ? rcureadlockheldcommon+0x12/0x50 [12335.689447] ? rcureadlockschedheld+0x25/0x80 [12335.689471] ? rcureadlockheldcommon+0x12/0x50 [12335.689504] ath11kdprxprocessmonrings+0x8d/0x4f0 [ath11k] [12335.689578] ? ath11kdprxprocessmonrings+0x8d/0x4f0 [ath11k] [12335.689653] ? lockacquire+0xef/0x360 [12335.689681] ? rcureadlockschedheld+0x25/0x80 [12335.689713] ath11kdpservicemonring+0x38/0x60 [ath11k] [12335.689784] ? ath11kdprxprocessmonrings+0x4f0/0x4f0 [ath11k] [12335.689860] calltimerfn+0xb2/0x2f0 [12335.689897] ? ath11kdprxprocessmonrings+0x4f0/0x4f0 [ath11k] [12335.689970] runtimersoftirq+0x21f/0x540 [12335.689999] ? ktimeget+0xad/0x160 [12335.690025] ? lapicnextdeadline+0x2c/0x40 [12335.690053] ? clockeventsprogramevent+0x82/0x100 [12335.690093] _dosoftirq+0x151/0x4a8 [12335.690135] irqexitrcu+0xc9/0x100 [12335.690165] sysvecapictimerinterrupt+0xa8/0xd0 [12335.690189] </IRQ> [12335.690204] <TASK> [12335.690225] asmsysvecapictimerinterrupt+0x12/0x20

Reset the default value to HALINVALIDPEERID each time after memset of ppduinfo as well as others memset which existed in function ath11kdprxprocessmonstatus(), then the failed log disappeared.

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPLV1V2SILICONZLITE-3