CVE-2022-50716

In the Linux kernel, the following vulnerability has been resolved:

wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out

syzkaller reported use-after-free with the stack trace like below [1]:

[ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523cmdtxcb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dumpstacklvl+0xfc/0x174 [ 38.972620][ C3] printreport.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523cmdtxcb+0x220/0x240 [ 38.974644][ C3] kasanreport+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523cmdtxcb+0x220/0x240 [ 38.976831][ C3] ar5523cmdtxcb+0x220/0x240 [ 38.978412][ C3] __usbhcdgivebackurb+0x353/0x5b0 [ 38.979755][ C3] usbhcdgivebackurb+0x385/0x430 [ 38.981266][ C3] dummytimer+0x140c/0x34e0 [ 38.982925][ C3] ? notifiercallchain+0xb5/0x1e0 [ 38.984761][ C3] ? rcureadlockschedheld+0xb/0x60 [ 38.986242][ C3] ? lockrelease+0x51c/0x790 [ 38.987323][ C3] ? rawreadunlockirqrestore+0x37/0x70 [ 38.988483][ C3] ? __wakeupcommonlock+0xde/0x130 [ 38.989621][ C3] ? reacquireheldlocks+0x4a0/0x4a0 [ 38.990777][ C3] ? lockacquire+0x472/0x550 [ 38.991919][ C3] ? rcureadlockschedheld+0xb/0x60 [ 38.993138][ C3] ? lockacquire+0x472/0x550 [ 38.994890][ C3] ? dummyurbenqueue+0x860/0x860 [ 38.996266][ C3] ? dorawspinunlock+0x16f/0x230 [ 38.997670][ C3] ? dummyurbenqueue+0x860/0x860 [ 38.999116][ C3] calltimerfn+0x1a0/0x6a0 [ 39.000668][ C3] ? addtimeron+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquireheldlocks+0x4a0/0x4a0 [ 39.003809][ C3] ? __nexttimerinterrupt+0x226/0x2a0 [ 39.005509][ C3] __runtimers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummyurbenqueue+0x860/0x860 [ 39.008716][ C3] ? calltimerfn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacctpercpuseqshow+0x10/0x10 [ 39.011795][ C3] ? kvmschedclockread+0x14/0x40 [ 39.013277][ C3] ? schedclockcpu+0x69/0x2b0 [ 39.014724][ C3] runtimer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] _irqexitrcu+0xeb/0x190 [ 39.019004][ C3] irqexitrcu+0x5/0x20 [ 39.020361][ C3] sysvecapictimerinterrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK>

In ar5523probe(), ar5523hostavailable() calls ar5523cmd() as below (there are other functions which finally call ar5523_cmd()):

ar5523probe() -> ar5523hostavailable() -> ar5523cmdread() -> ar5523cmd()

If ar5523cmd() timed out, then ar5523hostavailable() failed and ar5523probe() freed the device structure. So, ar5523cmdtx_cb() might touch the freed structure.

This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out.