CVE-2024-35938: wifi: ath11k: decrease MHI channel buffer length to 8KB
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: decrease MHI channel buffer length to 8KB
Currently buflen field of ath11kmhiconfigqca6390 is assigned with 0, making MHI use a default size, 64KB, to allocate channel buffers. This is likely to fail in some scenarios where system memory is highly fragmented and memory compaction or reclaim is not allowed.
There is a fail report which is caused by it: kworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFPNOIO|GFPCOMP), nodemask=(null),cpuset=/,memsallowed=0 CPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb Workqueue: eventsunbound asyncrunentryfn Call Trace: <TASK> dumpstacklvl+0x47/0x60 warnalloc+0x13a/0x1b0 ? srsoaliasreturnthunk+0x5/0xfbef5 ? allocpagesdirectcompact+0xab/0x210 allocpagesslowpath.constprop.0+0xd3e/0xda0 allocpages+0x32d/0x350 ? mhipreparechannel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] kmalloclargenode+0x72/0x110 kmalloc+0x37c/0x480 ? mhimapsinglenobb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? mhipreparechannel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] mhipreparechannel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] mhipreparefortransfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] ? pfxmhipreparefortransfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] deviceforeachchild+0x5c/0xa0 ? pfxpcipmresume+0x10/0x10 ath11kcoreresume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e] ? srsoaliasreturnthunk+0x5/0xfbef5 ath11kpcipmresume+0x32/0x60 [ath11kpci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec] ? srsoaliasreturnthunk+0x5/0xfbef5 dpmruncallback+0x8c/0x1e0 deviceresume+0x104/0x340 ? pfxdpmwatchdoghandler+0x10/0x10 asyncresume+0x1d/0x30 asyncrunentryfn+0x32/0x120 processonework+0x168/0x330 workerthread+0x2f5/0x410 ? pfxworkerthread+0x10/0x10 kthread+0xe8/0x120 ? pfxkthread+0x10/0x10 retfromfork+0x34/0x50 ? pfxkthread+0x10/0x10 retfromforkasm+0x1b/0x30 </TASK>
Actually those buffers are used only by QMI target -> host communication. And for WCN6855 and QCA6390, the largest packet size for that is less than 6KB. So change buflen field to 8KB, which results in order 1 allocation if page size is 4KB. In this way, we can at least save some memory, and as well as decrease the possibility of allocation failure in those scenarios.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPLV1V2SILICONZLITE-3.6510.30
Other sources
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: decrease MHI channel buffer length to 8KB
The Linux kernel CVE team has assigned CVE-2024-35938 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051918-CVE-2024-35938-0100@gregkh/T
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by a page allocation failure in wifi: ath11k. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-35938?
CVE-2024-35938 has a critical severity level due to its potential impact on channel buffer allocation in the Linux kernel.
How do I fix CVE-2024-35938?
To resolve CVE-2024-35938, update the Linux kernel to version 5.15.155, 6.1.86, 6.6.27, 6.8.6, or 6.9 as specified for your distribution.
What systems are affected by CVE-2024-35938?
CVE-2024-35938 affects versions of the Linux kernel up to 5.15.155 and various 6.x versions as detailed in the vulnerability report.
Is there a workaround for CVE-2024-35938?
There are no known workarounds for CVE-2024-35938; updating to a patched version is recommended.
Who is responsible for addressing CVE-2024-35938?
The maintainers of the Linux kernel and Linux distributions such as Red Hat and Debian are responsible for developing patches to address CVE-2024-35938.