Acknowledged
Created: Aug 24, 2025
Updated: Aug 26, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band[EOL][EOL]With a quite rare chance, RX report might be problematic to make SW think[EOL]a packet is received on 6 GHz band even if the chip does not support 6 GHz[EOL]band actually. Since SW won't initialize stuffs for unsupported bands, NULL[EOL]dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() ->[EOL]rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.[EOL][EOL]The following is a crash log for this case.[EOL][EOL] BUG: kernel NULL pointer dereference, address: 0000000000000032[EOL] #PF: supervisor read access in kernel mode[EOL] #PF: error_code(0x0000) - not-present page[EOL] PGD 0 P4D 0[EOL] Oops: 0000 [#1] PREEMPT SMP NOPTI[EOL] CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)[EOL] Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024[EOL] RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core][EOL] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11[EOL] 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45[EOL] 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85[EOL] RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246[EOL] RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011[EOL] RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6[EOL] RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000[EOL] R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4[EOL] R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000[EOL] FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000[EOL] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL] CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0[EOL] PKRU: 55555554[EOL] Call Trace:[EOL] <IRQ>[EOL] ? __die_body+0x68/0xb0[EOL] ? page_fault_oops+0x379/0x3e0[EOL] ? exc_page_fault+0x4f/0xa0[EOL] ? asm_exc_page_fault+0x22/0x30[EOL] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)][EOL] ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)][EOL] __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)][EOL] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)][EOL] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)][EOL] ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)][EOL] rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)][EOL] rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]
CREATE(Triage):(User=pbi-cn) [CVE-2025-38646 (https://nvd.nist.gov/vuln/detail/CVE-2025-38646)
