-

CVE-2025-38601

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: clear initialized flag for deinit-ed srng lists

In a number of cases we see kernel panics on resume due
to ath11k kernel page fault, which happens under the
following circumstances:

1) First ath11k_hal_dump_srng_stats() call

 Last interrupt received for each group:
 ath11k_pci 0000:01:00.0: group_id 0 22511ms before
 ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
 [..]
 ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
 ath11k_pci 0000:01:00.0: Service connect timeout
 ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
 ath11k_pci 0000:01:00.0: failed to start core: -110
 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
 ath11k_pci 0000:01:00.0: already resetting count 2
 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
 [..]

2) At this point reconfiguration fails (we have 2 resets) and
  ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
  which destroys srng lists.  However, it does not reset per-list
  ->initialized flag.

3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
  flag and attempts to dump srng stats:

 Last interrupt received for each group:
 ath11k_pci 0000:01:00.0: group_id 0 66785ms before
 ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
 ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
 ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 7 66814ms before
 ath11k_pci 0000:01:00.0: group_id 8 68997ms before
 ath11k_pci 0000:01:00.0: group_id 9 67588ms before
 ath11k_pci 0000:01:00.0: group_id 10 69511ms before
 BUG: unable to handle page fault for address: ffffa007404eb010
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
 Call Trace:
 <TASK>
 ? __die_body+0xae/0xb0
 ? page_fault_oops+0x381/0x3e0
 ? exc_page_fault+0x69/0xa0
 ? asm_exc_page_fault+0x22/0x30
 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
 ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
 worker_thread+0x389/0x930
 kthread+0x149/0x170

Clear per-list ->initialized flag in ath11k_hal_srng_deinit().

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 3a6daae987a829534636fd85ed6f84d5f0ad7fa4
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 916ac18d526a26f6072866b1a97622cf1351ef1c
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 5bf201c55fdf303e79005038648dfa1e8af48f54
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 72a48be1f53942793f3bc68a37fad1f38b53b082
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 0ebb5fe494501c19f31270008b26ab95201af6fd
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 16872194c80f2724472fc207991712895ac8a230
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < a5b46aa7cf5f05c213316a018e49a8e086efd98e
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.7
Status affected
Version < 5.7
Version 0
Status unaffected
Version <= 5.10.*
Version 5.10.241
Status unaffected
Version <= 5.15.*
Version 5.15.190
Status unaffected
Version <= 6.1.*
Version 6.1.148
Status unaffected
Version <= 6.6.*
Version 6.6.102
Status unaffected
Version <= 6.12.*
Version 6.12.42
Status unaffected
Version <= 6.15.*
Version 6.15.10
Status unaffected
Version <= 6.16.*
Version 6.16.1
Status unaffected
Version <= *
Version 6.17-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.089
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String