Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-35938— wifi: ath11k: decrease MHI channel buffer length to 8KB

EPSS 0.02% · P4
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-35938

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
wifi: ath11k: decrease MHI channel buffer length to 8KB
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: decrease MHI channel buffer length to 8KB Currently buf_len field of ath11k_mhi_config_qca6390 is assigned with 0, making MHI use a default size, 64KB, to allocate channel buffers. This is likely to fail in some scenarios where system memory is highly fragmented and memory compaction or reclaim is not allowed. There is a fail report which is caused by it: kworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 CPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb Workqueue: events_unbound async_run_entry_fn Call Trace: <TASK> dump_stack_lvl+0x47/0x60 warn_alloc+0x13a/0x1b0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __alloc_pages_direct_compact+0xab/0x210 __alloc_pages_slowpath.constprop.0+0xd3e/0xda0 __alloc_pages+0x32d/0x350 ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] __kmalloc_large_node+0x72/0x110 __kmalloc+0x37c/0x480 ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] device_for_each_child+0x5c/0xa0 ? __pfx_pci_pm_resume+0x10/0x10 ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e] ? srso_alias_return_thunk+0x5/0xfbef5 ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec] ? srso_alias_return_thunk+0x5/0xfbef5 dpm_run_callback+0x8c/0x1e0 device_resume+0x104/0x340 ? __pfx_dpm_watchdog_handler+0x10/0x10 async_resume+0x1d/0x30 async_run_entry_fn+0x32/0x120 process_one_work+0x168/0x330 worker_thread+0x2f5/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe8/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Actually those buffers are used only by QMI target -> host communication. And for WCN6855 and QCA6390, the largest packet size for that is less than 6KB. So change buf_len field to 8KB, which results in order 1 allocation if page size is 4KB. In this way, we can at least save some memory, and as well as decrease the possibility of allocation failure in those scenarios. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存高度碎片化,不允许内存压缩或回收。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux d5c65159f2895379e11ca13f62feabe93278985d ~ 805a1cdde82fec00c7471a393f4bb437b2741559 -
LinuxLinux 5.6 -

II. Public POCs for CVE-2024-35938

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-35938

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-05-19 · 82 CVEs total

CVE-2024-35914nfsd: Fix error cleanup path in nfsd_rename()
CVE-2024-35925block: prevent division by zero in blk_rq_stat_sum()
CVE-2024-35911ice: fix memory corruption bug with suspend and rebuild
CVE-2024-35912wifi: iwlwifi: mvm: rfi: fix potential response leaks
CVE-2024-35910tcp: properly terminate timers for kernel sockets
CVE-2024-35907mlxbf_gige: call request_irq() after NAPI initialized
CVE-2024-35905bpf: Protect against int overflow for stack access size
CVE-2024-35904selinux: avoid dereference of garbage after mount failure
CVE-2024-35903x86/bpf: Fix IP after emitting call depth accounting
CVE-2024-35908tls: get psock ref after taking rxlock to avoid leak
CVE-2024-35913wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF
CVE-2024-35915nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
CVE-2024-35916dma-buf: Fix NULL pointer dereference in sanitycheck()
CVE-2024-35917s390/bpf: Fix bpf_plt pointer arithmetic
CVE-2023-52699sysv: don't call sb_bread() with pointers_lock held
CVE-2024-35919media: mediatek: vcodec: adding lock to protect encoder context list
CVE-2024-35920media: mediatek: vcodec: adding lock to protect decoder context list
CVE-2024-35921media: mediatek: vcodec: Fix oops when HEVC init fails
CVE-2024-35922fbmon: prevent division by zero in fb_videomode_from_videomode()
CVE-2024-35924usb: typec: ucsi: Limit read size on v1.2

Showing top 20 of 82 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-35938

No comments yet

Leave a comment