Описание
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
A flaw was found in the Linux kernel's ath10k Wi-Fi driver. This memory management bug occurs during the copy engine ring teardown process, where the driver incorrectly frees Direct Memory Access (DMA) coherent buffers. A local attacker with low privileges could exploit this by triggering the flawed teardown, potentially leading to memory leaks, resource exhaustion, and system instability, resulting in a Denial of Service (DoS).
Отчет
A memory management bug exists in the ath10k copy engine ring teardown path. The driver allocates DMA coherent descriptor rings with dma_alloc_coherent and stores the original addresses in unaligned fields. It also derives aligned addresses for device consumption. The buggy code passed the aligned CPU pointer and aligned DMA address into dma_free_coherent. The DMA API requires that dma_free_coherent is called with the exact CPU virtual address and DMA handle that were returned by dma_alloc_coherent. Freeing with adjusted aligned addresses can cause incorrect freeing behavior. This may manifest as DMA API warnings. It may also lead to memory leaks and resource exhaustion. Under some configurations it could contribute to instability during device reset or module unload.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
4.7 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
In the Linux kernel, the following vulnerability has been resolved: w ...
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.
ELSA-2026-50145: Unbreakable Enterprise kernel security update (IMPORTANT)
EPSS
4.7 Medium
CVSS3