ghsa-j45q-p2r4-75m3
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash
Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace.
Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery.
Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 _syssendmsg+0x1e4/0x260 _sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
{
  "affected": [],
  "aliases": [
    "CVE-2025-38291"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:27Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Prevent sending WMI commands to firmware during firmware crash\n\nCurrently, we encounter the following kernel call trace when a firmware\ncrash occurs. This happens because the host sends WMI commands to the\nfirmware while it is in recovery, causing the commands to fail and\nresulting in the kernel call trace.\n\nSet the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the\nhost driver receives the firmware crash notification from MHI. This\nprevents sending WMI commands to the firmware during recovery.\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x75/0xc0\n register_lock_class+0x6be/0x7a0\n ? __lock_acquire+0x644/0x19a0\n __lock_acquire+0x95/0x19a0\n lock_acquire+0x265/0x310\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ? find_held_lock+0x34/0xa0\n ? ath12k_ce_send+0x56/0x210 [ath12k]\n _raw_spin_lock_bh+0x33/0x70\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_htc_send+0x178/0x390 [ath12k]\n ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k]\n ath12k_wmi_cmd_send+0x62/0x190 [ath12k]\n ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1\n ath12k_mac_op_get_survey+0x2be/0x310 [ath12k]\n ieee80211_dump_survey+0x99/0x240 [mac80211]\n nl80211_dump_survey+0xe7/0x470 [cfg80211]\n ? kmalloc_reserve+0x59/0xf0\n genl_dumpit+0x24/0x70\n netlink_dump+0x177/0x360\n __netlink_dump_start+0x206/0x280\n genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0\n ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0\n ? genl_op_lock.part.12+0x10/0x10\n ? genl_dumpit+0x70/0x70\n genl_rcv_msg+0x1d0/0x290\n ? nl80211_del_station+0x330/0x330 [cfg80211]\n ? genl_get_cmd_both+0x50/0x50\n netlink_rcv_skb+0x4f/0x100\n genl_rcv+0x1f/0x30\n netlink_unicast+0x1b6/0x260\n netlink_sendmsg+0x31a/0x450\n __sock_sendmsg+0xa8/0xb0\n ____sys_sendmsg+0x1e4/0x260\n ___sys_sendmsg+0x89/0xe0\n ? local_clock_noinstr+0xb/0xc0\n ? rcu_is_watching+0xd/0x40\n ? kfree+0x1de/0x370\n ? __sys_sendmsg+0x7a/0xc0\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1",
  "id": "GHSA-j45q-p2r4-75m3",
  "modified": "2025-07-10T09:32:29Z",
  "published": "2025-07-10T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38291"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2563069baf243cadc76dc64d9085606742c4b282"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9e094a9734ea3bd4d4d117c915ccf129ac61ba1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}
  Sightings
| Author | Source | Type | Date | 
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.