ghsa-qmvm-xjmc-fj3r
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
ath11k: pci: fix crash on suspend if board file is not found
Mario reported that the kernel was crashing on suspend if ath11k was not able to find a board file:
[ 473.693286] PM: Suspending system (s2idle) [ 473.693291] printk: Suspending console(s) (use no_console_suspend to debug) [ 474.407787] BUG: unable to handle page fault for address: 0000000000002070 [ 474.407791] #PF: supervisor read access in kernel mode [ 474.407794] #PF: error_code(0x0000) - not-present page [ 474.407798] PGD 0 P4D 0 [ 474.407801] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 474.407805] CPU: 2 PID: 2350 Comm: kworker/u32:14 Tainted: G W 5.16.0 #248 [...] [ 474.407868] Call Trace: [ 474.407870] [ 474.407874] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 474.407882] ? lock_timer_base+0x72/0xa0 [ 474.407889] ? _raw_spin_unlock_irqrestore+0x29/0x3d [ 474.407892] ? try_to_del_timer_sync+0x54/0x80 [ 474.407896] ath11k_dp_rx_pktlog_stop+0x49/0xc0 [ath11k] [ 474.407912] ath11k_core_suspend+0x34/0x130 [ath11k] [ 474.407923] ath11k_pci_pm_suspend+0x1b/0x50 [ath11k_pci] [ 474.407928] pci_pm_suspend+0x7e/0x170 [ 474.407935] ? pci_pm_freeze+0xc0/0xc0 [ 474.407939] dpm_run_callback+0x4e/0x150 [ 474.407947] __device_suspend+0x148/0x4c0 [ 474.407951] async_suspend+0x20/0x90 dmesg-efi-164255130401001: Oops#1 Part1 [ 474.407955] async_run_entry_fn+0x33/0x120 [ 474.407959] process_one_work+0x220/0x3f0 [ 474.407966] worker_thread+0x4a/0x3d0 [ 474.407971] kthread+0x17a/0x1a0 [ 474.407975] ? process_one_work+0x3f0/0x3f0 [ 474.407979] ? set_kthread_struct+0x40/0x40 [ 474.407983] ret_from_fork+0x22/0x30 [ 474.407991]
The issue here is that board file loading happens after ath11k_pci_probe() succesfully returns (ath11k initialisation happends asynchronously) and the suspend handler is still enabled, of course failing as ath11k is not properly initialised. Fix this by checking ATH11K_FLAG_QMI_FAIL during both suspend and resume.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2
{
"affected": [],
"aliases": [
"CVE-2022-49132"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: pci: fix crash on suspend if board file is not found\n\nMario reported that the kernel was crashing on suspend if ath11k was not able\nto find a board file:\n\n[ 473.693286] PM: Suspending system (s2idle)\n[ 473.693291] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 474.407787] BUG: unable to handle page fault for address: 0000000000002070\n[ 474.407791] #PF: supervisor read access in kernel mode\n[ 474.407794] #PF: error_code(0x0000) - not-present page\n[ 474.407798] PGD 0 P4D 0\n[ 474.407801] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 474.407805] CPU: 2 PID: 2350 Comm: kworker/u32:14 Tainted: G W 5.16.0 #248\n[...]\n[ 474.407868] Call Trace:\n[ 474.407870] \u003cTASK\u003e\n[ 474.407874] ? _raw_spin_lock_irqsave+0x2a/0x60\n[ 474.407882] ? lock_timer_base+0x72/0xa0\n[ 474.407889] ? _raw_spin_unlock_irqrestore+0x29/0x3d\n[ 474.407892] ? try_to_del_timer_sync+0x54/0x80\n[ 474.407896] ath11k_dp_rx_pktlog_stop+0x49/0xc0 [ath11k]\n[ 474.407912] ath11k_core_suspend+0x34/0x130 [ath11k]\n[ 474.407923] ath11k_pci_pm_suspend+0x1b/0x50 [ath11k_pci]\n[ 474.407928] pci_pm_suspend+0x7e/0x170\n[ 474.407935] ? pci_pm_freeze+0xc0/0xc0\n[ 474.407939] dpm_run_callback+0x4e/0x150\n[ 474.407947] __device_suspend+0x148/0x4c0\n[ 474.407951] async_suspend+0x20/0x90\ndmesg-efi-164255130401001:\nOops#1 Part1\n[ 474.407955] async_run_entry_fn+0x33/0x120\n[ 474.407959] process_one_work+0x220/0x3f0\n[ 474.407966] worker_thread+0x4a/0x3d0\n[ 474.407971] kthread+0x17a/0x1a0\n[ 474.407975] ? process_one_work+0x3f0/0x3f0\n[ 474.407979] ? set_kthread_struct+0x40/0x40\n[ 474.407983] ret_from_fork+0x22/0x30\n[ 474.407991] \u003c/TASK\u003e\n\nThe issue here is that board file loading happens after ath11k_pci_probe()\nsuccesfully returns (ath11k initialisation happends asynchronously) and the\nsuspend handler is still enabled, of course failing as ath11k is not properly\ninitialised. Fix this by checking ATH11K_FLAG_QMI_FAIL during both suspend and\nresume.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2",
"id": "GHSA-qmvm-xjmc-fj3r",
"modified": "2025-09-23T18:30:20Z",
"published": "2025-09-23T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49132"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aeed776c00e804a0f7896db39c7c661cea34ee1f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4f4c56459a5c744f7f066b9fc2b54ea995030c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3c5ef433da82d257337424b3647ce9dcb37d4b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fed4cef115ab21a18faf499b3fa9b9a4b544f941"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.