| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025071011-CVE-2025-38290-36c3@gregkh> Date: Thu, 10 Jul 2025 09:42:31 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38290: wifi: ath12k: fix node corruption in ar->arvifs list From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 The Linux kernel CVE team has assigned CVE-2025-38290 to this issue. Affected and fixed versions =========================== Issue introduced in 6.3 with commit d889913205cf7ebda905b1e62c5867ed4e39f6c2 and fixed in 6.6.94 with commit be049199dec9189602bc06e2c70eda3aa0f2ea6e Issue introduced in 6.3 with commit d889913205cf7ebda905b1e62c5867ed4e39f6c2 and fixed in 6.12.34 with commit 6285516170f9e2f04b9dbf1e5100e0d7cbac22b4 Issue introduced in 6.3 with commit d889913205cf7ebda905b1e62c5867ed4e39f6c2 and fixed in 6.15.3 with commit 6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d Issue introduced in 6.3 with commit d889913205cf7ebda905b1e62c5867ed4e39f6c2 and fixed in 6.16-rc1 with commit 823435bd23108d6f8be89ea2d025c0e2e3769c51 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38290 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath12k/core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/be049199dec9189602bc06e2c70eda3aa0f2ea6e https://git.kernel.org/stable/c/6285516170f9e2f04b9dbf1e5100e0d7cbac22b4 https://git.kernel.org/stable/c/6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d https://git.kernel.org/stable/c/823435bd23108d6f8be89ea2d025c0e2e3769c51
Powered by blists - more mailing lists