CVE-2025-38290

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix node corruption in ar-&gt;arvifs list<br /> <br /> In current WLAN recovery code flow, ath12k_core_halt() only reinitializes<br /> the "arvifs" list head. This will cause the list node immediately following<br /> the list head to become an invalid list node. Because the prev of that node<br /> still points to the list head "arvifs", but the next of the list head<br /> "arvifs" no longer points to that list node.<br /> <br /> When a WLAN recovery occurs during the execution of a vif removal, and it<br /> happens before the spin_lock_bh(&amp;ar-&gt;data_lock) in<br /> ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned<br /> situation, thereby triggering a kernel panic.<br /> <br /> The fix is to remove and reinitialize all vif list nodes from the list head<br /> "arvifs" during WLAN halt. The reinitialization is to make the list nodes<br /> valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute<br /> normally.<br /> <br /> Call trace:<br /> __list_del_entry_valid_or_report+0xd4/0x100 (P)<br /> ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]<br /> ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]<br /> cfg80211_wiphy_work+0xfc/0x100<br /> process_one_work+0x164/0x2d0<br /> worker_thread+0x254/0x380<br /> kthread+0xfc/0x100<br /> ret_from_fork+0x10/0x20<br /> <br /> The change is mostly copied from the ath11k patch:<br /> https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1