Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989404)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel fix: skip ath10k_halt during suspend for RESTARTING to prevent double free after recovery.

Related
Refs
Code
ReporterTitlePublishedViews
Family
AstraLinux
Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15
19 Jun 202611:10
astralinux
Circl
CVE-2022-49519
3 Dec 202514:14
circl
CNNVD
Linux kernel 安全漏洞
26 Feb 202500:00
cnnvd
CVE
CVE-2022-49519
26 Feb 202502:13
cve
Cvelist
CVE-2022-49519 ath10k: skip ath10k_halt during suspend for driver state RESTARTING
26 Feb 202502:13
cvelist
Debian CVE
CVE-2022-49519
26 Feb 202502:13
debiancve
EUVD
EUVD-2022-54710
21 Oct 202512:31
euvd
NVD
CVE-2022-49519
26 Feb 202507:01
nvd
OpenVAS
SUSE: Security Advisory (SUSE-SU-2025:1293-1)
18 Apr 202500:00
openvas
OSV
CLSA-2025-1763731262 kernel: Fix of 63 CVEs
21 Nov 202519:16
osv
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(273629);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2022-49519");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989404)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989404 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ath10k: skip ath10k_halt during suspend for driver state RESTARTING

    Double free crash is observed when FW recovery(caused by wmi
    timeout/crash) is followed by immediate suspend event. The FW recovery
    is triggered by ath10k_core_restart() which calls driver clean up via
    ath10k_halt(). When the suspend event occurs between the FW recovery,
    the restart worker thread is put into frozen state until suspend completes.
    The suspend event triggers ath10k_stop() which again triggers ath10k_halt()
    The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be
    called twice(Note: ath10k_htt_rx_alloc was not called by restart worker
    thread because of its frozen state), causing the crash.

    To fix this, during the suspend flow, skip call to ath10k_halt() in
    ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.
    Also, for driver state ATH10K_STATE_RESTARTING, call
    ath10k_wait_for_suspend() in ath10k_stop(). This is because call to
    ath10k_wait_for_suspend() is skipped later in
    [ath10k_halt() > ath10k_core_stop()] for the driver state
    ATH10K_STATE_RESTARTING.

    The frozen restart worker thread will be cancelled during resume when the
    device comes out of suspend.

    Below is the crash stack for reference:

    [  428.469167] ------------[ cut here ]------------
    [  428.469180] kernel BUG at mm/slub.c:4150!
    [  428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
    [  428.469219] Workqueue: events_unbound async_run_entry_fn
    [  428.469230] RIP: 0010:kfree+0x319/0x31b
    [  428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246
    [  428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000
    [  428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000
    [  428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000
    [  428.469276] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  428.469285] Call Trace:
    [  428.469295]  ? dma_free_attrs+0x5f/0x7d
    [  428.469320]  ath10k_core_stop+0x5b/0x6f
    [  428.469336]  ath10k_halt+0x126/0x177
    [  428.469352]  ath10k_stop+0x41/0x7e
    [  428.469387]  drv_stop+0x88/0x10e
    [  428.469410]  __ieee80211_suspend+0x297/0x411
    [  428.469441]  rdev_suspend+0x6e/0xd0
    [  428.469462]  wiphy_suspend+0xb1/0x105
    [  428.469483]  ? name_show+0x2d/0x2d
    [  428.469490]  dpm_run_callback+0x8c/0x126
    [  428.469511]  ? name_show+0x2d/0x2d
    [  428.469517]  __device_suspend+0x2e7/0x41b
    [  428.469523]  async_suspend+0x1f/0x93
    [  428.469529]  async_run_entry_fn+0x3d/0xd1
    [  428.469535]  process_one_work+0x1b1/0x329
    [  428.469541]  worker_thread+0x213/0x372
    [  428.469547]  kthread+0x150/0x15f
    [  428.469552]  ? pr_cont_work+0x58/0x58
    [  428.469558]  ? kthread_blkcg+0x31/0x31

    Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989404
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3c7ac38d");
  # https://lore.kernel.org/linux-cve-announce/2025022610-CVE-2022-49519-3b0d@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?baa78758");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49519");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49519");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation