CVE-2025-38601
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/08/2025
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: ath11k: clear initialized flag for deinit-ed srng lists<br />
<br />
In a number of cases we see kernel panics on resume due<br />
to ath11k kernel page fault, which happens under the<br />
following circumstances:<br />
<br />
1) First ath11k_hal_dump_srng_stats() call<br />
<br />
Last interrupt received for each group:<br />
ath11k_pci 0000:01:00.0: group_id 0 22511ms before<br />
ath11k_pci 0000:01:00.0: group_id 1 14440788ms before<br />
[..]<br />
ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..<br />
ath11k_pci 0000:01:00.0: Service connect timeout<br />
ath11k_pci 0000:01:00.0: failed to connect to HTT: -110<br />
ath11k_pci 0000:01:00.0: failed to start core: -110<br />
ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM<br />
ath11k_pci 0000:01:00.0: already resetting count 2<br />
ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110<br />
ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110<br />
ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery<br />
[..]<br />
<br />
2) At this point reconfiguration fails (we have 2 resets) and<br />
ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()<br />
which destroys srng lists. However, it does not reset per-list<br />
->initialized flag.<br />
<br />
3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized<br />
flag and attempts to dump srng stats:<br />
<br />
Last interrupt received for each group:<br />
ath11k_pci 0000:01:00.0: group_id 0 66785ms before<br />
ath11k_pci 0000:01:00.0: group_id 1 14485062ms before<br />
ath11k_pci 0000:01:00.0: group_id 2 14485062ms before<br />
ath11k_pci 0000:01:00.0: group_id 3 14485062ms before<br />
ath11k_pci 0000:01:00.0: group_id 4 14780845ms before<br />
ath11k_pci 0000:01:00.0: group_id 5 14780845ms before<br />
ath11k_pci 0000:01:00.0: group_id 6 14485062ms before<br />
ath11k_pci 0000:01:00.0: group_id 7 66814ms before<br />
ath11k_pci 0000:01:00.0: group_id 8 68997ms before<br />
ath11k_pci 0000:01:00.0: group_id 9 67588ms before<br />
ath11k_pci 0000:01:00.0: group_id 10 69511ms before<br />
BUG: unable to handle page fault for address: ffffa007404eb010<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0<br />
Oops: 0000 [#1] PREEMPT SMP NOPTI<br />
RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]<br />
Call Trace:<br />
<br />
? __die_body+0xae/0xb0<br />
? page_fault_oops+0x381/0x3e0<br />
? exc_page_fault+0x69/0xa0<br />
? asm_exc_page_fault+0x22/0x30<br />
? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]<br />
ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]<br />
worker_thread+0x389/0x930<br />
kthread+0x149/0x170<br />
<br />
Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd
- https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230
- https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4
- https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54
- https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082
- https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c
- https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e
- https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html