CVE Details
Description
In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath11k: decrease MHI channel buffer length to 8KB\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n\ndump_stack_lvl+0x47/0x60\nwarn_alloc+0x13a/0x1b0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __alloc_pages_direct_compact+0xab/0x210\n__alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n__alloc_pages+0x32d/0x350\n? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n__kmalloc_large_node+0x72/0x110\n__kmalloc+0x37c/0x480\n? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\nmhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n__mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\ndevice_for_each_child+0x5c/0xa0\n? __pfx_pci_pm_resume+0x10/0x10\nath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n? srso_alias_return_thunk+0x5/0xfbef5\nath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n? srso_alias_return_thunk+0x5/0xfbef5\ndpm_run_callback+0x8c/0x1e0\ndevice_resume+0x104/0x340\n? __pfx_dpm_watchdog_handler+0x10/0x10\nasync_resume+0x1d/0x30\nasync_run_entry_fn+0x32/0x120\nprocess_one_work+0x168/0x330\nworker_thread+0x2f5/0x410\n? __pfx_worker_thread+0x10/0x10\nkthread+0xe8/0x120\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x34/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
See more information about CVE-2024-35938 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: |
5.5 |
CVSS Vector: |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: |
Local network |
Attack Complexity: |
Low |
Privileges Required: |
Low |
User Interaction: |
None |
Scope: |
Unchanged |
Confidentiality Impact: |
None |
Integrity Impact: |
None |
Availability Impact: |
High |
Errata information