Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c9ba3fbf6a488da6cad1d304c5234bd8d729eba3
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 340524ae7b53a72cf5d9e7bd7790433422b3b12f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6447beefd21326a3f4719ec2ea511df797f6c820
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 7360b323e0343ea099091d4ae09576dbe1f09516
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 8af52492717e3538eba3f81d012b1476af8a89a6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 601ae89375033ac4870c086e24ba03f235d38e55
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9aef34e1ae35a87e5f6a22278c17823b7ce64c88
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b6702a942a069c2a975478d719e98d83cdae1797
affected

Default status
affected

4.9.337 (semver)
unaffected

4.14.303 (semver)
unaffected

4.19.270 (semver)
unaffected

5.4.229 (semver)
unaffected

5.10.163 (semver)
unaffected

5.15.86 (semver)
unaffected

6.0.16 (semver)
unaffected

6.1.2 (semver)
unaffected

6.2 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3

git.kernel.org/...c/340524ae7b53a72cf5d9e7bd7790433422b3b12f

git.kernel.org/...c/6447beefd21326a3f4719ec2ea511df797f6c820

git.kernel.org/...c/7360b323e0343ea099091d4ae09576dbe1f09516

git.kernel.org/...c/8af52492717e3538eba3f81d012b1476af8a89a6

git.kernel.org/...c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd

git.kernel.org/...c/601ae89375033ac4870c086e24ba03f235d38e55

git.kernel.org/...c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88

git.kernel.org/...c/b6702a942a069c2a975478d719e98d83cdae1797

cve.org (CVE-2022-50716)

nvd.nist.gov (CVE-2022-50716)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.