CVE-2025-38293

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix node corruption in ar-&gt;arvifs list<br /> <br /> In current WLAN recovery code flow, ath11k_core_halt() only<br /> reinitializes the "arvifs" list head. This will cause the<br /> list node immediately following the list head to become an<br /> invalid list node. Because the prev of that node still points<br /> to the list head "arvifs", but the next of the list head "arvifs"<br /> no longer points to that list node.<br /> <br /> When a WLAN recovery occurs during the execution of a vif<br /> removal, and it happens before the spin_lock_bh(&amp;ar-&gt;data_lock)<br /> in ath11k_mac_op_remove_interface(), list_del() will detect the<br /> previously mentioned situation, thereby triggering a kernel panic.<br /> <br /> The fix is to remove and reinitialize all vif list nodes from the<br /> list head "arvifs" during WLAN halt. The reinitialization is to make<br /> the list nodes valid, ensuring that the list_del() in<br /> ath11k_mac_op_remove_interface() can execute normally.<br /> <br /> Call trace:<br /> __list_del_entry_valid_or_report+0xb8/0xd0<br /> ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]<br /> drv_remove_interface+0x48/0x194 [mac80211]<br /> ieee80211_do_stop+0x6e0/0x844 [mac80211]<br /> ieee80211_stop+0x44/0x17c [mac80211]<br /> __dev_close_many+0xac/0x150<br /> __dev_change_flags+0x194/0x234<br /> dev_change_flags+0x24/0x6c<br /> devinet_ioctl+0x3a0/0x670<br /> inet_ioctl+0x200/0x248<br /> sock_do_ioctl+0x60/0x118<br /> sock_ioctl+0x274/0x35c<br /> __arm64_sys_ioctl+0xac/0xf0<br /> invoke_syscall+0x48/0x114<br /> ...<br /> <br /> Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1