cve-2024-35938
Vulnerability from cvelistv5
Published
2024-05-19 10:10
Modified
2024-11-05 09:25
Severity ?
Summary
wifi: ath11k: decrease MHI channel buffer length to 8KB
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35938",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T19:33:50.434855Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:22.305Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/mhi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "805a1cdde82f",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "6597a6687af5",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "138fdeac75fb",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "ae5876b3b7b2",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "1cca1bddf9ef",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/mhi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nActually those buffers are used only by QMI target -\u003e host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:25:22.300Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559"
        },
        {
          "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de"
        },
        {
          "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015"
        }
      ],
      "title": "wifi: ath11k: decrease MHI channel buffer length to 8KB",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35938",
    "datePublished": "2024-05-19T10:10:44.279Z",
    "dateReserved": "2024-05-17T13:50:33.131Z",
    "dateUpdated": "2024-11-05T09:25:22.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35938\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T11:15:49.620\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: decrease MHI channel buffer length to 8KB\\n\\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\\nwith 0, making MHI use a default size, 64KB, to allocate channel\\nbuffers. This is likely to fail in some scenarios where system\\nmemory is highly fragmented and memory compaction or reclaim is\\nnot allowed.\\n\\nThere is a fail report which is caused by it:\\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\\nWorkqueue: events_unbound async_run_entry_fn\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x47/0x60\\n warn_alloc+0x13a/0x1b0\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ? __alloc_pages_direct_compact+0xab/0x210\\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\\n __alloc_pages+0x32d/0x350\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __kmalloc_large_node+0x72/0x110\\n __kmalloc+0x37c/0x480\\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\\n device_for_each_child+0x5c/0xa0\\n ? __pfx_pci_pm_resume+0x10/0x10\\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\\n ? srso_alias_return_thunk+0x5/0xfbef5\\n dpm_run_callback+0x8c/0x1e0\\n device_resume+0x104/0x340\\n ? __pfx_dpm_watchdog_handler+0x10/0x10\\n async_resume+0x1d/0x30\\n async_run_entry_fn+0x32/0x120\\n process_one_work+0x168/0x330\\n worker_thread+0x2f5/0x410\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe8/0x120\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \u003c/TASK\u003e\\n\\nActually those buffers are used only by QMI target -\u003e host communication.\\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\\nthan 6KB. So change buf_len field to 8KB, which results in order 1\\nallocation if page size is 4KB. In this way, we can at least save some\\nmemory, and as well as decrease the possibility of allocation failure\\nin those scenarios.\\n\\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: ath11k: reduce la longitud del b\u00fafer del canal MHI a 8 KB Actualmente, el campo buf_len de ath11k_mhi_config_qca6390 est\u00e1 asignado con 0, lo que hace que MHI use un tama\u00f1o predeterminado, 64 KB, para asignar b\u00faferes de canal. Es probable que esto falle en algunos escenarios donde la memoria del sistema est\u00e1 muy fragmentada y no se permite la compactaci\u00f3n o recuperaci\u00f3n de memoria. Hay un informe de error causado por esto: kworker/u32:45: error de asignaci\u00f3n de p\u00e1gina: orden:4, modo:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 CPU: 0 PID: 19318 Comm: kworker/u32:45 No contaminado 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (in\u00e9dito) 493b6d5b382c603654d7a81fc3c144d59a1dfceb Cola de trabajo: events_unbound async_run_entry_fn Seguimiento de llamadas:  dump_stack_lvl+0x47/0x60 warn_alloc+0x13a/ 0x1b0? srso_alias_return_thunk+0x5/0xfbef5? __alloc_pages_direct_compact+0xab/0x210 __alloc_pages_slowpath.constprop.0+0xd3e/0xda0 __alloc_pages+0x32d/0x350 ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] __kmalloc_large_node+0x72/0x110 __kmalloc+0x37c/0x480 ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a78 14] __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] device_for_each_child+0x5c/0xa0 ? __pfx_pci_pm_resume+0x10/0x10 ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]? srso_alias_return_thunk+0x5/0xfbef5 ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]? srso_alias_return_thunk+0x5/0xfbef5 dpm_run_callback+0x8c/0x1e0 device_resume+0x104/0x340? __pfx_dpm_watchdog_handler+0x10/0x10 async_resume+0x1d/0x30 async_run_entry_fn+0x32/0x120 Process_one_work+0x168/0x330 Workers_thread+0x2f5/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe8/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30  En realidad, esos buffers son utilizados solo por la comunicaci\u00f3n QMI destino -\u0026gt; host. Y para WCN6855 y QCA6390, el tama\u00f1o de paquete m\u00e1s grande es inferior a 6 KB. Entonces cambie el campo buf_len a 8 KB, lo que da como resultado una asignaci\u00f3n de orden 1 si el tama\u00f1o de la p\u00e1gina es 4 KB. De esta manera, al menos podemos ahorrar algo de memoria y tambi\u00e9n disminuir la posibilidad de que se produzca un error en la asignaci\u00f3n en esos escenarios. Probado en: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.