Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix SKB corruption in REO destination ring While running traffics for a long time, randomly an RX descriptor filled with value "0" from REO destination ring is received. This descriptor which is invalid causes the wrong SKB (SKB stored in the IDR lookup with buffer id "0") to be fetched which in turn causes SKB memory corruption issue and the same leads to crash after some time. Changed the start id for idr allocation to "1" and the buffer id "0" is reserved for error validation. Introduced Sanity check to validate the descriptor, before processing the SKB. Crash Signature : Unable to handle kernel paging request at virtual address 3f004900 PC points to "b15_dma_inv_range+0x30/0x50" LR points to "dma_cache_maint_page+0x8c/0x128". The Backtrace obtained is as follows: [<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128) [<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc) [<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k]) [<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k]) [<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci]) [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8) [<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280) [<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280) [<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4) [<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4) [<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90) [<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

PUBLISHED Reserved 2025-09-16 | Published 2025-09-16 | Updated 2025-09-19 | Assigner Linux

Product status

Default status
unaffected

d5c65159f2895379e11ca13f62feabe93278985d (git) before 866921dc06b94df91acfcf9359b57da943ed99b3
affected

d5c65159f2895379e11ca13f62feabe93278985d (git) before 3d3f8fe01a01d94a17fe1ae0d2e894049a972717
affected

d5c65159f2895379e11ca13f62feabe93278985d (git) before 068fd06148fbf0af95bb08dc77cff34ee679fdbc
affected

d5c65159f2895379e11ca13f62feabe93278985d (git) before 67459491f78146bcf7d93596e5b709d063dff5d8
affected

d5c65159f2895379e11ca13f62feabe93278985d (git) before f9fff67d2d7ca6fa8066132003a3deef654c55b1
affected

Default status
affected

5.6
affected

Any version before 5.6
unaffected

5.10.181 (semver)
unaffected

5.15.113 (semver)
unaffected

6.1.30 (semver)
unaffected

6.3.4 (semver)
unaffected

6.4 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/866921dc06b94df91acfcf9359b57da943ed99b3

git.kernel.org/...c/3d3f8fe01a01d94a17fe1ae0d2e894049a972717

git.kernel.org/...c/068fd06148fbf0af95bb08dc77cff34ee679fdbc

git.kernel.org/...c/67459491f78146bcf7d93596e5b709d063dff5d8

git.kernel.org/...c/f9fff67d2d7ca6fa8066132003a3deef654c55b1

cve.org (CVE-2023-53315)

nvd.nist.gov (CVE-2023-53315)

Download JSON