{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53315", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-16T16:08:59.562Z", "datePublished": "2025-09-16T16:11:52.242Z", "dateUpdated": "2025-09-16T16:11:52.242Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-16T16:11:52.242Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix SKB corruption in REO destination ring\n\nWhile running traffics for a long time, randomly an RX descriptor\nfilled with value \"0\" from REO destination ring is received.\nThis descriptor which is invalid causes the wrong SKB (SKB stored in\nthe IDR lookup with buffer id \"0\") to be fetched which in turn\ncauses SKB memory corruption issue and the same leads to crash\nafter some time.\n\nChanged the start id for idr allocation to \"1\" and the buffer id \"0\"\nis reserved for error validation. Introduced Sanity check to validate\nthe descriptor, before processing the SKB.\n\nCrash Signature :\n\nUnable to handle kernel paging request at virtual address 3f004900\nPC points to \"b15_dma_inv_range+0x30/0x50\"\nLR points to \"dma_cache_maint_page+0x8c/0x128\".\nThe Backtrace obtained is as follows:\n[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)\n[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)\n[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])\n[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])\n[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])\n[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)\n[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)\n[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)\n[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)\n[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)\n[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)\n[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/dp_rx.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "866921dc06b94df91acfcf9359b57da943ed99b3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "3d3f8fe01a01d94a17fe1ae0d2e894049a972717", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "068fd06148fbf0af95bb08dc77cff34ee679fdbc", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "67459491f78146bcf7d93596e5b709d063dff5d8", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f9fff67d2d7ca6fa8066132003a3deef654c55b1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/dp_rx.c"], "versions": [{"version": "5.10.181", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.113", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.30", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.4", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.3.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/866921dc06b94df91acfcf9359b57da943ed99b3"}, {"url": "https://git.kernel.org/stable/c/3d3f8fe01a01d94a17fe1ae0d2e894049a972717"}, {"url": "https://git.kernel.org/stable/c/068fd06148fbf0af95bb08dc77cff34ee679fdbc"}, {"url": "https://git.kernel.org/stable/c/67459491f78146bcf7d93596e5b709d063dff5d8"}, {"url": "https://git.kernel.org/stable/c/f9fff67d2d7ca6fa8066132003a3deef654c55b1"}], "title": "wifi: ath11k: Fix SKB corruption in REO destination ring", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix SKB corruption in REO destination ring\n\nWhile running traffics for a long time, randomly an RX descriptor\nfilled with value \"0\" from REO destination ring is received.\nThis descriptor which is invalid causes the wrong SKB (SKB stored in\nthe IDR lookup with buffer id \"0\") to be fetched which in turn\ncauses SKB memory corruption issue and the same leads to crash\nafter some time.\n\nChanged the start id for idr allocation to \"1\" and the buffer id \"0\"\nis reserved for error validation. Introduced Sanity check to validate\nthe descriptor, before processing the SKB.\n\nCrash Signature :\n\nUnable to handle kernel paging request at virtual address 3f004900\nPC points to \"b15_dma_inv_range+0x30/0x50\"\nLR points to \"dma_cache_maint_page+0x8c/0x128\".\nThe Backtrace obtained is as follows:\n[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)\n[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)\n[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])\n[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])\n[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])\n[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)\n[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)\n[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)\n[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)\n[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)\n[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)\n[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"}], "id": "CVE-2023-53315", "lastModified": "2025-09-16T17:15:37.480", "metrics": {}, "published": "2025-09-16T17:15:37.480", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/068fd06148fbf0af95bb08dc77cff34ee679fdbc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d3f8fe01a01d94a17fe1ae0d2e894049a972717"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67459491f78146bcf7d93596e5b709d063dff5d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/866921dc06b94df91acfcf9359b57da943ed99b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f9fff67d2d7ca6fa8066132003a3deef654c55b1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}