Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]wifi: ath11k: fix node corruption in ar->arvifs list[EOL][EOL]In current WLAN recovery code flow, ath11k_core_halt() only[EOL]reinitializes the "arvifs" list head. This will cause the[EOL]list node immediately following the list head to become an[EOL]invalid list node. Because the prev of that node still points[EOL]to the list head "arvifs", but the next of the list head "arvifs"[EOL]no longer points to that list node.[EOL][EOL]When a WLAN recovery occurs during the execution of a vif[EOL]removal, and it happens before the spin_lock_bh(&ar->data_lock)[EOL]in ath11k_mac_op_remove_interface(), list_del() will detect the[EOL]previously mentioned situation, thereby triggering a kernel panic.[EOL][EOL]The fix is to remove and reinitialize all vif list nodes from the[EOL]list head "arvifs" during WLAN halt. The reinitialization is to make[EOL]the list nodes valid, ensuring that the list_del() in[EOL]ath11k_mac_op_remove_interface() can execute normally.[EOL][EOL]Call trace:[EOL]__list_del_entry_valid_or_report+0xb8/0xd0[EOL]ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k][EOL]drv_remove_interface+0x48/0x194 [mac80211][EOL]ieee80211_do_stop+0x6e0/0x844 [mac80211][EOL]ieee80211_stop+0x44/0x17c [mac80211][EOL]__dev_close_many+0xac/0x150[EOL]__dev_change_flags+0x194/0x234[EOL]dev_change_flags+0x24/0x6c[EOL]devinet_ioctl+0x3a0/0x670[EOL]inet_ioctl+0x200/0x248[EOL]sock_do_ioctl+0x60/0x118[EOL]sock_ioctl+0x274/0x35c[EOL]__arm64_sys_ioctl+0xac/0xf0[EOL]invoke_syscall+0x48/0x114[EOL]...[EOL][EOL]Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1

CREATE(Triage):(User=admin) [CVE-2025-38293 (https://nvd.nist.gov/vuln/detail/CVE-2025-38293)