Linux Kernel ath11k Wi-Fi Driver Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's ath11k Wi-Fi driver. This issue arises when the driver fails to properly reset the 'initialized' flag for certain lists after they have been deinitialized. As a result, a subsequent call to dump statistics from these lists can trigger a kernel panic by causing a page fault. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by first invoking the 'ath11k_hal_dump_srng_stats()' function, which initiates a process that can lead to a kernel page fault. This fault occurs if the driver has not properly reset the 'initialized' flag for deinitialized lists, allowing a stale flag to cause a fault when the statistics dump is attempted. The issue can be observed in the ath11k_pci driver events, where failed connections and timeouts indicate the driver is in a problematic state. After the first statistics dump, the driver fails to reconfigure itself following a crash recovery, leading to the deinitialization of certain lists. However, the 'initialized' flag for these lists remains set, creating the conditions for the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the documentation for the specific Linux distribution in use.