CVE-2022-50700 (GCVE-0-2022-50700)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-05-11 19:23
VLAI
Title
wifi: ath10k: Delay the unmapping of the buffer
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a (git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < 79a124b588aadb5a22695542778de14366ff3219 (git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < acd4324e5f1f11351630234297f95076f0ac9a2f (git)
Create a notification for this product.
Linux Linux Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/core.c",
            "drivers/net/wireless/ath/ath10k/htc.c",
            "drivers/net/wireless/ath/ath10k/hw.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            },
            {
              "lessThan": "79a124b588aadb5a22695542778de14366ff3219",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            },
            {
              "lessThan": "acd4324e5f1f11351630234297f95076f0ac9a2f",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/core.c",
            "drivers/net/wireless/ath/ath10k/htc.c",
            "drivers/net/wireless/ath/ath10k/hw.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Delay the unmapping of the buffer\n\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\nsending a copy complete interrupt to the host driver while still\nprocessing the buffer that the driver has sent, this is leading into an\nSMMU fault triggering kernel panic. This is happening on copy engine\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\nfirmware. Upon receiving a copy complete interrupt, host driver will\nimmediately unmap and frees the buffer presuming that hardware has\nprocessed the buffer. In the issue case, upon receiving copy complete\ninterrupt, host driver will unmap and free the buffer but since hardware\nis still accessing the buffer (which in this case got unmapped in\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\nkernel panic.\n\nIn order to avoid this, as a work around, add a delay before unmapping\nthe copy engine source DMA buffer. This is conditionally done for\nWCN3990 and only for the CE3 channel where issue is seen.\n\nBelow is the crash signature:\n\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\nremoteproc remoteproc0: crash detected in\n4080000.remoteproc: type fatal error \u003c3\u003e remoteproc remoteproc0:\nhandling crash #1 in 4080000.remoteproc\n\npc : __arm_lpae_unmap+0x500/0x514\nlr : __arm_lpae_unmap+0x4bc/0x514\nsp : ffffffc011ffb530\nx29: ffffffc011ffb590 x28: 0000000000000000\nx27: 0000000000000000 x26: 0000000000000004\nx25: 0000000000000003 x24: ffffffc011ffb890\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\nx21: 0000000000000009 x20: 00000007fff7c000\nx19: 0000000000000003 x18: 0000000000000000\nx17: 0000000000000004 x16: ffffffd7a357d9f0\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\nx13: 000000000000000e x12: 0000000000000000\nx11: 00000000ffffffff x10: 00000000fffffe00\nx9 : 000000000000017c x8 : 000000000000000c\nx7 : 0000000000000000 x6 : ffffffa762ef9000\nx5 : 0000000000000003 x4 : 0000000000000004\nx3 : 0000000000001000 x2 : 00000007fff7c000\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\n__arm_lpae_unmap+0x500/0x514\n__arm_lpae_unmap+0x4bc/0x514\n__arm_lpae_unmap+0x4bc/0x514\narm_lpae_unmap_pages+0x78/0xa4\narm_smmu_unmap_pages+0x78/0x104\n__iommu_unmap+0xc8/0x1e4\niommu_unmap_fast+0x38/0x48\n__iommu_dma_unmap+0x84/0x104\niommu_dma_free+0x34/0x50\ndma_free_attrs+0xa4/0xd0\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\n[ath10k_core]\nath10k_halt+0x11c/0x180 [ath10k_core]\nath10k_stop+0x54/0x94 [ath10k_core]\ndrv_stop+0x48/0x1c8 [mac80211]\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\n[mac80211]\n__dev_open+0xb4/0x174\n__dev_change_flags+0xc4/0x1dc\ndev_change_flags+0x3c/0x7c\ndevinet_ioctl+0x2b4/0x580\ninet_ioctl+0xb0/0x1b4\nsock_do_ioctl+0x4c/0x16c\ncompat_ifreq_ioctl+0x1cc/0x35c\ncompat_sock_ioctl+0x110/0x2ac\n__arm64_compat_sys_ioctl+0xf4/0x3e0\nel0_svc_common+0xb4/0x17c\nel0_svc_compat_handler+0x2c/0x58\nel0_svc_compat+0x8/0x2c\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:23:45.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219"
        },
        {
          "url": "https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f"
        }
      ],
      "title": "wifi: ath10k: Delay the unmapping of the buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50700",
    "datePublished": "2025-12-24T10:55:16.257Z",
    "dateReserved": "2025-12-24T10:53:15.517Z",
    "dateUpdated": "2026-05-11T19:23:45.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-50700",
      "date": "2026-06-07",
      "epss": "0.00027",
      "percentile": "0.08158"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50700\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:50.153\",\"lastModified\":\"2025-12-29T15:58:56.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath10k: Delay the unmapping of the buffer\\n\\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\\nsending a copy complete interrupt to the host driver while still\\nprocessing the buffer that the driver has sent, this is leading into an\\nSMMU fault triggering kernel panic. This is happening on copy engine\\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\\nfirmware. Upon receiving a copy complete interrupt, host driver will\\nimmediately unmap and frees the buffer presuming that hardware has\\nprocessed the buffer. In the issue case, upon receiving copy complete\\ninterrupt, host driver will unmap and free the buffer but since hardware\\nis still accessing the buffer (which in this case got unmapped in\\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\\nkernel panic.\\n\\nIn order to avoid this, as a work around, add a delay before unmapping\\nthe copy engine source DMA buffer. This is conditionally done for\\nWCN3990 and only for the CE3 channel where issue is seen.\\n\\nBelow is the crash signature:\\n\\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\\nremoteproc remoteproc0: crash detected in\\n4080000.remoteproc: type fatal error \u003c3\u003e remoteproc remoteproc0:\\nhandling crash #1 in 4080000.remoteproc\\n\\npc : __arm_lpae_unmap+0x500/0x514\\nlr : __arm_lpae_unmap+0x4bc/0x514\\nsp : ffffffc011ffb530\\nx29: ffffffc011ffb590 x28: 0000000000000000\\nx27: 0000000000000000 x26: 0000000000000004\\nx25: 0000000000000003 x24: ffffffc011ffb890\\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\\nx21: 0000000000000009 x20: 00000007fff7c000\\nx19: 0000000000000003 x18: 0000000000000000\\nx17: 0000000000000004 x16: ffffffd7a357d9f0\\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\\nx13: 000000000000000e x12: 0000000000000000\\nx11: 00000000ffffffff x10: 00000000fffffe00\\nx9 : 000000000000017c x8 : 000000000000000c\\nx7 : 0000000000000000 x6 : ffffffa762ef9000\\nx5 : 0000000000000003 x4 : 0000000000000004\\nx3 : 0000000000001000 x2 : 00000007fff7c000\\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\\n__arm_lpae_unmap+0x500/0x514\\n__arm_lpae_unmap+0x4bc/0x514\\n__arm_lpae_unmap+0x4bc/0x514\\narm_lpae_unmap_pages+0x78/0xa4\\narm_smmu_unmap_pages+0x78/0x104\\n__iommu_unmap+0xc8/0x1e4\\niommu_unmap_fast+0x38/0x48\\n__iommu_dma_unmap+0x84/0x104\\niommu_dma_free+0x34/0x50\\ndma_free_attrs+0xa4/0xd0\\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\\n[ath10k_core]\\nath10k_halt+0x11c/0x180 [ath10k_core]\\nath10k_stop+0x54/0x94 [ath10k_core]\\ndrv_stop+0x48/0x1c8 [mac80211]\\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\\n[mac80211]\\n__dev_open+0xb4/0x174\\n__dev_change_flags+0xc4/0x1dc\\ndev_change_flags+0x3c/0x7c\\ndevinet_ioctl+0x2b4/0x580\\ninet_ioctl+0xb0/0x1b4\\nsock_do_ioctl+0x4c/0x16c\\ncompat_ifreq_ioctl+0x1cc/0x35c\\ncompat_sock_ioctl+0x110/0x2ac\\n__arm64_compat_sys_ioctl+0xf4/0x3e0\\nel0_svc_common+0xb4/0x17c\\nel0_svc_compat_handler+0x2c/0x58\\nel0_svc_compat+0x8/0x2c\\n\\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.