{"id":"CVE-2022-50880","summary":"wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[  306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[  306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[  306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[  435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[  435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[  435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010]  ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041]  drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059]  __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076]  __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093]  ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110]  ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137]  cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153]  nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161]  genl_rcv_msg+0x38e/0x3be\n[21713.800166]  netlink_rcv_skb+0x89/0xf7\n[21713.800171]  genl_rcv+0x28/0x36\n[21713.800176]  netlink_unicast+0x179/0x24b\n[21713.800181]  netlink_sendmsg+0x3a0/0x40e\n[21713.800187]  sock_sendmsg+0x72/0x76\n[21713.800192]  ____sys_sendmsg+0x16d/0x1e3\n[21713.800196]  ___sys_sendmsg+0x95/0xd1\n[21713.800200]  __sys_sendmsg+0x85/0xbf\n[21713.800205]  do_syscall_64+0x43/0x55\n[21713.800210]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241]  ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254]  ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265]  ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277]  ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283]  ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---","modified":"2026-04-02T08:28:49.277305Z","published":"2025-12-30T12:23:19.551Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50880.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50880.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50880"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d0eeafad118940fe445ca00f45be5624fea2ec34"},{"fixed":"15604ab67179ae27ea3c7fb24b6df32b143257c4"},{"fixed":"2d6259715c9597a6cfa25db8911683eb0073b1c6"},{"fixed":"f12fc305c127bd07bb50373e29c6037696f916a8"},{"fixed":"4494ec1c0bb850eaa80fed98e5b041d961011d3e"},{"fixed":"08faf07717be0c88b02b5aa45aad2225dfcdd2dc"},{"fixed":"54a3201f3c1ff813523937da78b5fa7649dbab71"},{"fixed":"2bf916418d2141b810c40812433ab4ecfd3c2934"},{"fixed":"38245f2d62cd4d1f38a763a7b4045ab4565b30a0"},{"fixed":"f020d9570a04df0762a2ac5c50cf1d8c511c9164"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50880.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"4.9.331"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.14.296"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.262"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.220"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.150"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.19.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.20.0"},{"fixed":"6.0.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50880.json"}}],"schema_version":"1.7.5"}