Fixed
Created: Dec 10, 2025
Updated: Dec 11, 2025
Resolved Date: Dec 10, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.3
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]wifi: brcmfmac: fix invalid address access when enabling SCAN log level[EOL][EOL]The variable i is changed when setting random MAC address and causes[EOL]invalid address access when printing the value of pi->reqs[i]->reqid.[EOL][EOL]We replace reqs index with ri to fix the issue.[EOL][EOL][ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000[EOL][ 136.737365] Mem abort info:[EOL][ 136.740172] ESR = 0x96000004[EOL][ 136.743359] Exception class = DABT (current EL), IL = 32 bits[EOL][ 136.749294] SET = 0, FnV = 0[EOL][ 136.752481] EA = 0, S1PTW = 0[EOL][ 136.755635] Data abort info:[EOL][ 136.758514] ISV = 0, ISS = 0x00000004[EOL][ 136.762487] CM = 0, WnR = 0[EOL][ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577[EOL][ 136.772265] [0000000000000000] pgd=0000000000000000[EOL][ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP[EOL][ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)[EOL][ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)[EOL][ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1[EOL][ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)[EOL][ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)[EOL][ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac][EOL][ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac][EOL][ 136.828162] sp : ffff00000e9a3880[EOL][ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400[EOL][ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0[EOL][ 136.842098] x25: ffff80002054345c x24: ffff800088d22400[EOL][ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8[EOL][ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400[EOL][ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000[EOL][ 136.863343] x17: 0000000000000000 x16: 0000000000000000[EOL][ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050[EOL][ 136.873966] x13: 0000000000003135 x12: 0000000000000000[EOL][ 136.879277] x11: 0000000000000000 x10: ffff000009a61888[EOL][ 136.884589] x9 : 000000000000000f x8 : 0000000000000008[EOL][ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d[EOL][ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942[EOL][ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8[EOL][ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000[EOL][ 136.911146] Call trace:[EOL][ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac][EOL][ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac][EOL][ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac][EOL][ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211][EOL][ 136.937298] genl_rcv_msg+0x358/0x3f4[EOL][ 136.940960] netlink_rcv_skb+0xb4/0x118[EOL][ 136.944795] genl_rcv+0x34/0x48[EOL][ 136.947935] netlink_unicast+0x264/0x300[EOL][ 136.951856] netlink_sendmsg+0x2e4/0x33c[EOL][ 136.955781] __sys_sendto+0x120/0x19c
