| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081920-CVE-2025-38601-1ab2@gregkh> Date: Tue, 19 Aug 2025 19:18:47 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38601: wifi: ath11k: clear initialized flag for deinit-ed srng lists From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). The Linux kernel CVE team has assigned CVE-2025-38601 to this issue. Affected and fixed versions =========================== Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.1.148 with commit 916ac18d526a26f6072866b1a97622cf1351ef1c Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.6.102 with commit 5bf201c55fdf303e79005038648dfa1e8af48f54 Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.12.42 with commit 72a48be1f53942793f3bc68a37fad1f38b53b082 Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.15.10 with commit 0ebb5fe494501c19f31270008b26ab95201af6fd Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.16.1 with commit 16872194c80f2724472fc207991712895ac8a230 Issue introduced in 5.7 with commit 5118935b1bc28d0bce9427e584e11e905e68ee9a and fixed in 6.17-rc1 with commit a5b46aa7cf5f05c213316a018e49a8e086efd98e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38601 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/ath/ath11k/hal.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54 https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082 https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230 https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e
Powered by blists - more mailing lists