| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix node corruption in ar->arvifs list
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 |
| Memory Corruption in Multi-mode Call Processor while processing bit mask API. |
| Memory corruption while copying the sound model data from user to kernel buffer during sound model register. |
| Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache. |
| Memory corruption in Audio when SSR event is triggered after music playback is stopped. |
| Memory corruption in Audio while processing the VOC packet data from ADSP. |
| Memory Corruption in Audio while invoking callback function in driver from ADSP. |
| Memory corruption in Automotive Audio while copying data from ADSP shared buffer to the VOC packet data buffer. |
| Memory corruption as GPU registers beyond the last protected range can be accessed through LPAC submissions. |
| Memory corruption may occur while attaching VM when the HLOS retains access to VM. |
| Information disclosure may occur while decoding the RTP packet with invalid header extension from network. |
| Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs. |
| Memory corruption while selecting the PLMN from SOR failed list. |
| Information disclosure while processing the hash segment in an MBN file. |
| Information disclosure while reading data from an image using specified offset and size parameters. |
| Transient DOS while processing the EHT operation IE in the received beacon frame. |
| Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call. |
| Information disclosure may occur while processing goodbye RTCP packet from network. |
| Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length. |
| Transient DOS while parsing the EPTM test control message to get the test pattern. |
