{"id":"CVE-2025-38601","summary":"wifi: ath11k: clear initialized flag for deinit-ed srng lists","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n  ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n  which destroys srng lists.  However, it does not reset per-list\n  -\u003einitialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale -\u003einitialized\n  flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n \u003cTASK\u003e\n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list -\u003einitialized flag in ath11k_hal_srng_deinit().","modified":"2026-03-20T12:42:56.376026Z","published":"2025-08-19T17:03:35.798Z","related":["MGASA-2025-0234","MGASA-2025-0235","SUSE-SU-2025:03272-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38601.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082"},{"type":"WEB","url":"https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38601.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38601"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5118935b1bc28d0bce9427e584e11e905e68ee9a"},{"fixed":"3a6daae987a829534636fd85ed6f84d5f0ad7fa4"},{"fixed":"eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5"},{"fixed":"916ac18d526a26f6072866b1a97622cf1351ef1c"},{"fixed":"5bf201c55fdf303e79005038648dfa1e8af48f54"},{"fixed":"72a48be1f53942793f3bc68a37fad1f38b53b082"},{"fixed":"0ebb5fe494501c19f31270008b26ab95201af6fd"},{"fixed":"16872194c80f2724472fc207991712895ac8a230"},{"fixed":"a5b46aa7cf5f05c213316a018e49a8e086efd98e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38601.json"}}],"schema_version":"1.7.5"}