{"id":"CVE-2022-50716","summary":"wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: Fix use-after-free on ar5523_cmd() timed out\n\nsyzkaller reported use-after-free with the stack trace like below [1]:\n\n[   38.960489][    C3] ==================================================================\n[   38.963216][    C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240\n[   38.964950][    C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0\n[   38.966363][    C3]\n[   38.967053][    C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18\n[   38.968464][    C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[   38.969959][    C3] Call Trace:\n[   38.970841][    C3]  \u003cIRQ\u003e\n[   38.971663][    C3]  dump_stack_lvl+0xfc/0x174\n[   38.972620][    C3]  print_report.cold+0x2c3/0x752\n[   38.973626][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240\n[   38.974644][    C3]  kasan_report+0xb1/0x1d0\n[   38.975720][    C3]  ? ar5523_cmd_tx_cb+0x220/0x240\n[   38.976831][    C3]  ar5523_cmd_tx_cb+0x220/0x240\n[   38.978412][    C3]  __usb_hcd_giveback_urb+0x353/0x5b0\n[   38.979755][    C3]  usb_hcd_giveback_urb+0x385/0x430\n[   38.981266][    C3]  dummy_timer+0x140c/0x34e0\n[   38.982925][    C3]  ? notifier_call_chain+0xb5/0x1e0\n[   38.984761][    C3]  ? rcu_read_lock_sched_held+0xb/0x60\n[   38.986242][    C3]  ? lock_release+0x51c/0x790\n[   38.987323][    C3]  ? _raw_read_unlock_irqrestore+0x37/0x70\n[   38.988483][    C3]  ? __wake_up_common_lock+0xde/0x130\n[   38.989621][    C3]  ? reacquire_held_locks+0x4a0/0x4a0\n[   38.990777][    C3]  ? lock_acquire+0x472/0x550\n[   38.991919][    C3]  ? rcu_read_lock_sched_held+0xb/0x60\n[   38.993138][    C3]  ? lock_acquire+0x472/0x550\n[   38.994890][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   38.996266][    C3]  ? do_raw_spin_unlock+0x16f/0x230\n[   38.997670][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   38.999116][    C3]  call_timer_fn+0x1a0/0x6a0\n[   39.000668][    C3]  ? add_timer_on+0x4a0/0x4a0\n[   39.002137][    C3]  ? reacquire_held_locks+0x4a0/0x4a0\n[   39.003809][    C3]  ? __next_timer_interrupt+0x226/0x2a0\n[   39.005509][    C3]  __run_timers.part.0+0x69a/0xac0\n[   39.007025][    C3]  ? dummy_urb_enqueue+0x860/0x860\n[   39.008716][    C3]  ? call_timer_fn+0x6a0/0x6a0\n[   39.010254][    C3]  ? cpuacct_percpu_seq_show+0x10/0x10\n[   39.011795][    C3]  ? kvm_sched_clock_read+0x14/0x40\n[   39.013277][    C3]  ? sched_clock_cpu+0x69/0x2b0\n[   39.014724][    C3]  run_timer_softirq+0xb6/0x1d0\n[   39.016196][    C3]  __do_softirq+0x1d2/0x9be\n[   39.017616][    C3]  __irq_exit_rcu+0xeb/0x190\n[   39.019004][    C3]  irq_exit_rcu+0x5/0x20\n[   39.020361][    C3]  sysvec_apic_timer_interrupt+0x8f/0xb0\n[   39.021965][    C3]  \u003c/IRQ\u003e\n[   39.023237][    C3]  \u003cTASK\u003e\n\nIn ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below\n(there are other functions which finally call ar5523_cmd()):\n\nar5523_probe()\n-\u003e ar5523_host_available()\n   -\u003e ar5523_cmd_read()\n      -\u003e ar5523_cmd()\n\nIf ar5523_cmd() timed out, then ar5523_host_available() failed and\nar5523_probe() freed the device structure.  So, ar5523_cmd_tx_cb()\nmight touch the freed structure.\n\nThis patch fixes this issue by canceling in-flight tx cmd if submitted\nurb timed out.","modified":"2026-04-02T08:28:43.122864Z","published":"2025-12-24T12:22:40.461Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50716.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50716.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50716"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b7d572e1871df06a96a1c9591c71c5494ff6b624"},{"fixed":"c9ba3fbf6a488da6cad1d304c5234bd8d729eba3"},{"fixed":"340524ae7b53a72cf5d9e7bd7790433422b3b12f"},{"fixed":"6447beefd21326a3f4719ec2ea511df797f6c820"},{"fixed":"7360b323e0343ea099091d4ae09576dbe1f09516"},{"fixed":"8af52492717e3538eba3f81d012b1476af8a89a6"},{"fixed":"3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd"},{"fixed":"601ae89375033ac4870c086e24ba03f235d38e55"},{"fixed":"9aef34e1ae35a87e5f6a22278c17823b7ce64c88"},{"fixed":"b6702a942a069c2a975478d719e98d83cdae1797"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50716.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.8.0"},{"fixed":"4.9.337"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.14.303"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.270"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.229"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"fixed":"6.1.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50716.json"}}],"schema_version":"1.7.5"}