Linux Kernel ath11k AHB IOMMU Resource Deinitialization Vulnerability Causes NULL Pointer Dereference

A vulnerability in the Linux kernel's ath11k wireless driver for AHB chipsets can lead to a NULL pointer dereference. This issue arises during the deinitialization of IOMMU (Input/Output Memory Management Unit) resources. The problem occurs in chipsets with non-fixed firmware memory, where the driver incorrectly attempts to unmap IOMMU resources that were never mapped during initialization. This flaw can be reproduced by rebooting or removing the ath11k AHB module on affected chipsets, such as the IPQ8074.

Impact

Exploiting this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the wireless driver and potentially the entire system.

Reproduction

The vulnerability can be reproduced by probing an AHB chipset with non-fixed memory during a reboot or after removing the ath11k AHB module. The kernel will generate a trace indicating a NULL pointer dereference, which can be seen in the system logs.

Remediation

The vulnerability has been addressed by adding a condition check for chipsets with fixed firmware memory in the ath11k AHB driver. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.