logo_clicknbuy.png

CVE-2025-38601 – Qualcomm Atheros Wi-Fi ath11k: Page Fault due to Uninitialized Flag

The following table lists the changes that have been made to the
CVE-2025-38601 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Aug. 19, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    wifi: ath11k: clear initialized flag for deinit-ed srng lists

    In a number of cases we see kernel panics on resume due
    to ath11k kernel page fault, which happens under the
    following circumstances:

    1) First ath11k_hal_dump_srng_stats() call

    Last interrupt received for each group:
    ath11k_pci 0000:01:00.0: group_id 0 22511ms before
    ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
    [..]
    ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
    ath11k_pci 0000:01:00.0: Service connect timeout
    ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
    ath11k_pci 0000:01:00.0: failed to start core: -110
    ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
    ath11k_pci 0000:01:00.0: already resetting count 2
    ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
    ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
    ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
    [..]

    2) At this point reconfiguration fails (we have 2 resets) and
    ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
    which destroys srng lists. However, it does not reset per-list
    ->initialized flag.

    3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
    flag and attempts to dump srng stats:

    Last interrupt received for each group:
    ath11k_pci 0000:01:00.0: group_id 0 66785ms before
    ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
    ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
    ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
    ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
    ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
    ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
    ath11k_pci 0000:01:00.0: group_id 7 66814ms before
    ath11k_pci 0000:01:00.0: group_id 8 68997ms before
    ath11k_pci 0000:01:00.0: group_id 9 67588ms before
    ath11k_pci 0000:01:00.0: group_id 10 69511ms before
    BUG: unable to handle page fault for address: ffffa007404eb010
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) – not-present page
    PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
    Call Trace:

    ? __die_body+0xae/0xb0
    ? page_fault_oops+0x381/0x3e0
    ? exc_page_fault+0x69/0xa0
    ? asm_exc_page_fault+0x22/0x30
    ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
    ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
    worker_thread+0x389/0x930
    kthread+0x149/0x170

    Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
    Added Reference https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd
    Added Reference https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230
    Added Reference https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54
    Added Reference https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082
    Added Reference https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c
    Added Reference https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e
Share the Post:

Related Posts