fkie_cve-2025-38601
Vulnerability from fkie_nvd
Published
2025-08-19 17:15
Modified
2025-08-28 15:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n  ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n  which destroys srng lists.  However, it does not reset per-list\n  -\u003einitialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale -\u003einitialized\n  flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n \u003cTASK\u003e\n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list -\u003einitialized flag in ath11k_hal_srng_deinit()."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath11k: borrar el indicador inicializado para listas srng desiniciadas En varios casos, vemos p\u00e1nicos del kernel al reanudarse debido a un fallo de p\u00e1gina del kernel ath11k, que sucede en las siguientes circunstancias: 1) Primera llamada a ath11k_hal_dump_srng_stats() \u00daltima interrupci\u00f3n recibida para cada grupo: ath11k_pci 0000:01:00.0: group_id 0 22511ms antes ath11k_pci 0000:01:00.0: group_id 1 14440788ms antes [..] ath11k_pci 0000:01:00.0: no se pudo recibir la respuesta de control finalizaci\u00f3n, sondeo.. ath11k_pci 0000:01:00.0: tiempo de espera de conexi\u00f3n del servicio ath11k_pci 0000:01:00.0: no se pudo conectar a HTT: -110 ath11k_pci 0000:01:00.0: no se pudo iniciar el n\u00facleo: -110 ath11k_pci 0000:01:00.0: el firmware fall\u00f3: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: ya se est\u00e1 restableciendo el recuento 2 ath11k_pci 0000:01:00.0: no se pudo esperar la solicitud de modo wlan (modo 4): -110 ath11k_pci 0000:01:00.0: qmi no pudo enviar el modo wlan desactivado: -110 ath11k_pci 0000:01:00.0: no se pudo reconfigurar el controlador en la recuperaci\u00f3n de falla [..] 2) En este punto, la reconfiguraci\u00f3n falla (tenemos 2 Se reinicia) y ath11k_core_reconfigure_on_crash() llama a ath11k_hal_srng_deinit(), que destruye las listas srng. Sin embargo, no reinicia el indicador de inicializaci\u00f3n por lista. 3) La segunda llamada ath11k_hal_dump_srng_stats() ve la bandera obsoleta -\u0026gt;inicializada e intenta volcar las estad\u00edsticas de srng: \u00daltima interrupci\u00f3n recibida para cada grupo: ath11k_pci 0000:01:00.0: group_id 0 66785ms antes ath11k_pci 0000:01:00.0: group_id 1 14485062ms antes ath11k_pci 0000:01:00.0: group_id 2 14485062ms antes ath11k_pci 0000:01:00.0: group_id 3 14485062ms antes ath11k_pci 0000:01:00.0: group_id 4 14780845ms antes ath11k_pci 0000:01:00.0: group_id 5 14780845ms antes ath11k_pci 0000:01:00.0: group_id 6 14485062ms antes ath11k_pci 0000:01:00.0: group_id 7 66814ms antes ath11k_pci 0000:01:00.0: group_id 8 68997ms antes ath11k_pci 0000:01:00.0: group_id 9 67588ms antes ath11k_pci 0000:01:00.0: group_id 10 69511ms antes ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffa007404eb010 #PF: lectura del supervisor acceso en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Seguimiento de llamadas:  ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Limpiar la bandera por lista -\u0026gt;inicializada en ath11k_hal_srng_deinit()."
    }
  ],
  "id": "CVE-2025-38601",
  "lastModified": "2025-08-28T15:15:54.663",
  "metrics": {},
  "published": "2025-08-19T17:15:38.233",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.