Fixed
Created: Jul 10, 2025
Updated: Jul 14, 2025
Resolved Date: Jul 14, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]wifi: ath12k: fix node corruption in ar->arvifs list[EOL][EOL]In current WLAN recovery code flow, ath12k_core_halt() only reinitializes[EOL]the "arvifs" list head. This will cause the list node immediately following[EOL]the list head to become an invalid list node. Because the prev of that node[EOL]still points to the list head "arvifs", but the next of the list head[EOL]"arvifs" no longer points to that list node.[EOL][EOL]When a WLAN recovery occurs during the execution of a vif removal, and it[EOL]happens before the spin_lock_bh(&ar->data_lock) in[EOL]ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned[EOL]situation, thereby triggering a kernel panic.[EOL][EOL]The fix is to remove and reinitialize all vif list nodes from the list head[EOL]"arvifs" during WLAN halt. The reinitialization is to make the list nodes[EOL]valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute[EOL]normally.[EOL][EOL]Call trace:[EOL]__list_del_entry_valid_or_report+0xd4/0x100 (P)[EOL]ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k][EOL]ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k][EOL]cfg80211_wiphy_work+0xfc/0x100[EOL]process_one_work+0x164/0x2d0[EOL]worker_thread+0x254/0x380[EOL]kthread+0xfc/0x100[EOL]ret_from_fork+0x10/0x20[EOL][EOL]The change is mostly copied from the ath11k patch:[EOL]https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/[EOL][EOL]Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
CREATE(Triage):(User=admin) [CVE-2025-38290 (https://nvd.nist.gov/vuln/detail/CVE-2025-38290)
