CVE CyberSecurity Database News

CVE-2024-35938 - Memory Allocation Failure in Linux Kernel wifi/ath11k (MHI Channel Buffer Size) and Fix Explained

Poster -

A recent Linux kernel vulnerability, assigned CVE-2024-35938, affected the ath11k WiFi driver subsystem. This subtle bug was related to how buffer memory was allocated for the MHI (Modem Host Interface) channels. If triggered, it could cause critical system memory allocation failures — especially on systems under memory pressure or with highly fragmented RAM.

In this post, we’ll explain what went wrong, show code snippets from both vulnerable and fixed versions, and clarify how this bug could impact real-world Linux systems. You'll also learn why the kernel team changed the buffer size and what that means for your security or stability.

The Root of the Problem

The ath11k WiFi driver (which supports Qualcomm chips like QCA639 and WCN6855) uses the MHI protocol between the host (your device) and the target (the WiFi chip). Part of this involves allocating buffers for communication.

Code Problem

In the original driver code, the buf_len parameter (the buffer size for each MHI channel) is set to . MHI then used its default buffer size — a huge 64KB bunker of memory per buffer slot.

If the system's RAM is fragmented and memory compaction/reclaim isn’t possible (e.g., during device resume or heavy load), Linux may fail to allocate such a large contiguous buffer. When that happens, WiFi might not recover, resume, or initialize correctly — leading to WiFi not working or system instability.

When the bug occurs, the kernel logs will show

kworker/u32:45: page allocation failure: order:4, mode:x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=
...
__kmalloc_large_node+x72/x110
__kmalloc+x37c/x480
mhi_prepare_channel+x127/x2d
...
ath11k_core_resume+x65/x100

The Vulnerable Code

Here's an excerpt from the (simplified) original code for ath11k MHI config (see linux commit):

struct ath11k_mhi_config ath11k_mhi_config_qca639 = {
    .buf_len = ,    // Let MHI use default, which is 64KB. BAD!
    // ... other fields ...
};

That .buf_len = looks harmless, but the consequence is an attempt to allocate a (potentially many) 64KB block(s) of memory — which often fails on modern workloads with fragmented memory.

Why is 64KB a Problem?

- Big allocations (order:4 = 16 contiguous pages = 64KB on 4KB systems) are likely to fail if system RAM isn't flat and free.

The Fix

The fixed version sets the buffer length to 8KB, which fits not only the actual maximum packet size, but also makes memory allocation _dramatically_ more reliable.

Fixed code snippet

struct ath11k_mhi_config ath11k_mhi_config_qca639 = {
    .buf_len = 8 * 1024,   // 8KB — suitable and safe!
    // ... other fields ...
};

Now allocations only require order 1 (8KB, or 2 contiguous 4KB pages), which Linux can almost always provide, even on a busy system.

Exploitability & System Impact

Is this a security risk?
This is mainly a stability/availability bug, not a privilege escalation or direct security hole.

- Denial of service: A local user could try to consistently put the system under memory pressure to cause WiFi hardware to fail resuming or initializing.
- WiFi not available: Users might find WiFi does not come up, especially after waking the machine from sleep or under high load.
- No direct code execution exploit, but a motivated attacker _could_ repeatedly force the allocation path and cause service loss.

Exploit Scenario Example:
An attacker running in userspace could keep the RAM fragmented (e.g., by running processes that allocate and free small bits of memory) and then issue suspend/resume or WiFi reset cycles. This could cause the buffer allocation to fail, resulting in no WiFi device — a kind of local denial-of-service.

Kernel version: Fixed in Linux 6.8.-rc3 and later (and backported to stable).

- Upstream commit: 493b6d5b382c603654d7a81fc3c144d59a1dfceb

Distributions: Will need to update their kernels or apply the patch.

Home users:
Update your system’s kernel to a version newer than 6.8.-rc3 (or wait for it to be integrated by your Linux distro).

Upstream kernel commit:

ath11k: decrease MHI channel buffer length to 8KB

LKML Patch Discussion:

LKML Patch - ath11k: decrease MHI channel buffer length to 8KB

CVE entry:

CVE-2024-35938 at CVE.org

Conclusion

CVE-2024-35938 is a good example of how a one-line configuration error can seriously hurt system stability — and why kernel developers have to care about low-level memory details! By shrinking the buffer to 8KB, modern Linux is now both lighter on RAM and more robust for WiFi resume scenarios.

If you hit similar allocation errors, check your driver for excessive buffer defaults!

- Follow linux-wireless mailing list for the latest WiFi updates

Timeline

Published on: 05/19/2024 11:15:49 UTC
Last modified on: 05/04/2025 09:08:49 UTC