CVE-2023-53532 in Linux
Summary
by MITRE • 10/01/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix deinitialization of firmware resources
Currently, in ath11k_ahb_fw_resources_init(), iommu domain mapping is done only for the chipsets having fixed firmware memory. Also, for such chipsets, mapping is done only if it does not have TrustZone support.
During deinitialization, only if TrustZone support is not there, iommu is unmapped back. However, for non fixed firmware memory chipsets, TrustZone support is not there and this makes the condition check to true and it tries to unmap the memory which was not mapped during initialization.
This leads to the following trace -
[ 83.198790] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 83.259537] Modules linked in: ath11k_ahb ath11k qmi_helpers
.. snip .. [ 83.280286] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 83.287228] pc : __iommu_unmap+0x30/0x140
[ 83.293907] lr : iommu_unmap+0x5c/0xa4
[ 83.298072] sp : ffff80000b3abad0
.. snip .. [ 83.369175] Call trace:
[ 83.376282] __iommu_unmap+0x30/0x140
[ 83.378541] iommu_unmap+0x5c/0xa4
[ 83.382360] ath11k_ahb_fw_resource_deinit.part.12+0x2c/0xac [ath11k_ahb]
[ 83.385666] ath11k_ahb_free_resources+0x140/0x17c [ath11k_ahb]
[ 83.392521] ath11k_ahb_shutdown+0x34/0x40 [ath11k_ahb]
[ 83.398248] platform_shutdown+0x20/0x2c
[ 83.403455] device_shutdown+0x16c/0x1c4
[ 83.407621] kernel_restart_prepare+0x34/0x3c
[ 83.411529] kernel_restart+0x14/0x74
[ 83.415781] __do_sys_reboot+0x1c4/0x22c
[ 83.419427] __arm64_sys_reboot+0x1c/0x24
[ 83.423420] invoke_syscall+0x44/0xfc
[ 83.427326] el0_svc_common.constprop.3+0xac/0xe8
[ 83.430974] do_el0_svc+0xa0/0xa8
[ 83.435659] el0_svc+0x1c/0x44
[ 83.438957] el0t_64_sync_handler+0x60/0x144
[ 83.441910] el0t_64_sync+0x15c/0x160
[ 83.446343] Code: aa0103f4 f9400001 f90027a1 d2800001 (f94006a0)
[ 83.449903] ---[ end trace 0000000000000000 ]---
This can be reproduced by probing an AHB chipset which is not having a fixed memory region. During reboot (or rmmod) trace can be seen.
Fix this issue by adding a condition check on firmware fixed memory hw_param as done in the counter initialization function.
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/27/2026
The vulnerability described in CVE-2023-53532 affects the Linux kernel's ath11k wireless driver, specifically within the ath11k_ahb module responsible for handling AHB-based wireless chipsets. This issue stems from an improper deinitialization sequence of firmware resources, creating a critical inconsistency between initialization and cleanup operations. The flaw manifests when the driver attempts to unmap IOMMU (Input-Output Memory Management Unit) domains during device shutdown or module removal for chipsets that do not utilize fixed firmware memory regions. The root cause lies in the asymmetric conditional logic between firmware resource initialization and deinitialization functions, where the deinitialization path fails to properly account for hardware configurations that differ from those initially handled.
The technical implementation flaw occurs in the ath11k_ahb_fw_resources_init() function which correctly implements IOMMU domain mapping only for chipsets with fixed firmware memory and excludes those with TrustZone support. However, during deinitialization through ath11k_ahb_fw_resource_deinit(), the code incorrectly assumes that if TrustZone is not supported, the IOMMU mapping must have occurred during initialization. This assumption breaks down for non-fixed firmware memory chipsets where IOMMU mapping never occurred in the first place, leading to attempts to unmap memory regions that were never mapped. The resulting kernel NULL pointer dereference at virtual address 0000000000000008 occurs when the __iommu_unmap function receives invalid parameters, causing a kernel oops and system instability.
This vulnerability directly impacts system stability and reliability, particularly during critical system operations such as reboot sequences or module removal. The operational consequences extend beyond simple system crashes to potentially compromising the integrity of wireless connectivity and device management functions in embedded systems. The issue affects AHB-based chipsets like the IPQ8074 hardware revision 2.0, where the wireless subsystem may become completely non-functional after attempting to unload the driver or during system shutdown. The attack surface is limited to systems utilizing the affected ath11k_ahb driver with specific hardware configurations that do not have fixed firmware memory regions, making this a targeted issue affecting particular embedded wireless networking deployments.
The fix for CVE-2023-53532 implements a consistent conditional check that mirrors the initialization logic by verifying the firmware fixed memory hardware parameter before attempting IOMMU unmap operations. This approach aligns with the principle of symmetric resource management where initialization and deinitialization paths follow identical conditional logic. The solution prevents the NULL pointer dereference by ensuring that IOMMU unmapping only occurs when the corresponding mapping was actually performed, thereby eliminating the kernel panic condition. This fix follows established best practices for kernel module development and addresses the specific inconsistency identified in the Linux kernel's memory management subsystem. The remediation maintains backward compatibility while ensuring proper resource cleanup across all supported hardware configurations, aligning with CWE-459 (Inconsistent State) and ATT&CK technique T1489 (Service Stop) through proper resource management and system stability maintenance.