CVE-2025-23133

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: update channel list in reg notifier instead reg worker<br /> <br /> Currently when ath11k gets a new channel list, it will be processed<br /> according to the following steps:<br /> 1. update new channel list to cfg80211 and queue reg_work.<br /> 2. cfg80211 handles new channel list during reg_work.<br /> 3. update cfg80211&amp;#39;s handled channel list to firmware by<br /> ath11k_reg_update_chan_list().<br /> <br /> But ath11k will immediately execute step 3 after reg_work is just<br /> queued. Since step 2 is asynchronous, cfg80211 may not have completed<br /> handling the new channel list, which may leading to an out-of-bounds<br /> write error:<br /> BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list<br /> Call Trace:<br /> ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]<br /> kfree+0x109/0x3a0<br /> ath11k_regd_update+0x1cf/0x350 [ath11k]<br /> ath11k_regd_update_work+0x14/0x20 [ath11k]<br /> process_one_work+0xe35/0x14c0<br /> <br /> Should ensure step 2 is completely done before executing step 3. Thus<br /> Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,<br /> cfg80211 will notify ath11k after step 2 is done.<br /> <br /> So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will<br /> notify ath11k after step 2 is done. At this time, there will be no<br /> KASAN bug during the execution of the step 3.<br /> <br /> [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/<br /> <br /> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3