CVE-2025-38293

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix node corruption in ar->arvifs list

In current WLAN recovery code flow, ath11kcorehalt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node.

When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spinlockbh(&ar->datalock) in ath11kmacopremoveinterface(), listdel() will detect the previously mentioned situation, thereby triggering a kernel panic.

The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the listdel() in ath11kmacopremove_interface() can execute normally.

Call trace: _listdelentryvalidorreport+0xb8/0xd0 ath11kmacopremoveinterface+0xb0/0x27c [ath11k] drvremoveinterface+0x48/0x194 [mac80211] ieee80211dostop+0x6e0/0x844 [mac80211] ieee80211stop+0x44/0x17c [mac80211] _devclosemany+0xac/0x150 _devchangeflags+0x194/0x234 devchangeflags+0x24/0x6c devinetioctl+0x3a0/0x670 inetioctl+0x200/0x248 sockdoioctl+0x60/0x118 sockioctl+0x274/0x35c _arm64sysioctl+0xac/0xf0 invokesyscall+0x48/0x114 ...

Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPLV1V2SILICONZIOE-1