-

CVE-2025-38601

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: clear initialized flag for deinit-ed srng lists

In a number of cases we see kernel panics on resume due
to ath11k kernel page fault, which happens under the
following circumstances:

1) First ath11k_hal_dump_srng_stats() call

 Last interrupt received for each group:
 ath11k_pci 0000:01:00.0: group_id 0 22511ms before
 ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
 [..]
 ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
 ath11k_pci 0000:01:00.0: Service connect timeout
 ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
 ath11k_pci 0000:01:00.0: failed to start core: -110
 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
 ath11k_pci 0000:01:00.0: already resetting count 2
 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
 [..]

2) At this point reconfiguration fails (we have 2 resets) and
  ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
  which destroys srng lists.  However, it does not reset per-list
  ->initialized flag.

3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
  flag and attempts to dump srng stats:

 Last interrupt received for each group:
 ath11k_pci 0000:01:00.0: group_id 0 66785ms before
 ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
 ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
 ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
 ath11k_pci 0000:01:00.0: group_id 7 66814ms before
 ath11k_pci 0000:01:00.0: group_id 8 68997ms before
 ath11k_pci 0000:01:00.0: group_id 9 67588ms before
 ath11k_pci 0000:01:00.0: group_id 10 69511ms before
 BUG: unable to handle page fault for address: ffffa007404eb010
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
 Call Trace:
 <TASK>
 ? __die_body+0xae/0xb0
 ? page_fault_oops+0x381/0x3e0
 ? exc_page_fault+0x69/0xa0
 ? asm_exc_page_fault+0x22/0x30
 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
 ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
 worker_thread+0x389/0x930
 kthread+0x149/0x170

Clear per-list ->initialized flag in ath11k_hal_srng_deinit().

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
Product Linux
Default Statusunaffected
Version < 3a6daae987a829534636fd85ed6f84d5f0ad7fa4
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 916ac18d526a26f6072866b1a97622cf1351ef1c
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 5bf201c55fdf303e79005038648dfa1e8af48f54
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 72a48be1f53942793f3bc68a37fad1f38b53b082
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 0ebb5fe494501c19f31270008b26ab95201af6fd
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < 16872194c80f2724472fc207991712895ac8a230
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
Version < a5b46aa7cf5f05c213316a018e49a8e086efd98e
Version 5118935b1bc28d0bce9427e584e11e905e68ee9a
Status affected
VendorLinux
Product Linux
Default Statusaffected
Version 5.7
Status affected
Version < 5.7
Version 0
Status unaffected
Version <= 5.10.*
Version 5.10.241
Status unaffected
Version <= 5.15.*
Version 5.15.190
Status unaffected
Version <= 6.1.*
Version 6.1.148
Status unaffected
Version <= 6.6.*
Version 6.6.102
Status unaffected
Version <= 6.12.*
Version 6.12.42
Status unaffected
Version <= 6.15.*
Version 6.15.10
Status unaffected
Version <= 6.16.*
Version 6.16.1
Status unaffected
Version <= *
Version 6.17-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.04% 0.089
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string