CVE-2025-38601

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38601
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38601.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38601
Downstream
Related
Published
2025-08-19T17:03:35.798Z
Modified
2026-05-15T11:53:52.491012182Z
Summary
wifi: ath11k: clear initialized flag for deinit-ed srng lists
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: clear initialized flag for deinit-ed srng lists

In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances:

1) First ath11khaldumpsrngstats() call

Last interrupt received for each group: ath11kpci 0000:01:00.0: groupid 0 22511ms before ath11kpci 0000:01:00.0: groupid 1 14440788ms before [..] ath11kpci 0000:01:00.0: failed to receive control response completion, polling.. ath11kpci 0000:01:00.0: Service connect timeout ath11kpci 0000:01:00.0: failed to connect to HTT: -110 ath11kpci 0000:01:00.0: failed to start core: -110 ath11kpci 0000:01:00.0: firmware crashed: MHICBEERDDM ath11kpci 0000:01:00.0: already resetting count 2 ath11kpci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11kpci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11kpci 0000:01:00.0: failed to reconfigure driver on crash recovery [..]

2) At this point reconfiguration fails (we have 2 resets) and ath11kcorereconfigureoncrash() calls ath11khalsrng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag.

3) Second ath11khaldumpsrngstats() call sees stale ->initialized flag and attempts to dump srng stats:

Last interrupt received for each group: ath11kpci 0000:01:00.0: groupid 0 66785ms before ath11kpci 0000:01:00.0: groupid 1 14485062ms before ath11kpci 0000:01:00.0: groupid 2 14485062ms before ath11kpci 0000:01:00.0: groupid 3 14485062ms before ath11kpci 0000:01:00.0: groupid 4 14780845ms before ath11kpci 0000:01:00.0: groupid 5 14780845ms before ath11kpci 0000:01:00.0: groupid 6 14485062ms before ath11kpci 0000:01:00.0: groupid 7 66814ms before ath11kpci 0000:01:00.0: groupid 8 68997ms before ath11kpci 0000:01:00.0: groupid 9 67588ms before ath11kpci 0000:01:00.0: groupid 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11khaldumpsrng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? _diebody+0xae/0xb0 ? pagefaultoops+0x381/0x3e0 ? excpagefault+0x69/0xa0 ? asmexcpagefault+0x22/0x30 ? ath11khaldumpsrngstats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11kqmidrivereventwork+0xbd/0x1050 [ath11k (HASH:6cea 4)] workerthread+0x389/0x930 kthread+0x149/0x170

Clear per-list ->initialized flag in ath11khalsrng_deinit().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38601.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.241
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.190
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.148
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.102
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.42
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.10
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.16.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38601.json"