CVE-2024-43911

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix NULL dereference at band check in starting tx ba session<br /> <br /> In MLD connection, link_data/link_conf are dynamically allocated. They<br /> don&amp;#39;t point to vif-&gt;bss_conf. So, there will be no chanreq assigned to<br /> vif-&gt;bss_conf and then the chan will be NULL. Tweak the code to check<br /> ht_supported/vht_supported/has_he/has_eht on sta deflink.<br /> <br /> Crash log (with rtw89 version under MLO development):<br /> [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 9890.526102] #PF: supervisor read access in kernel mode<br /> [ 9890.526105] #PF: error_code(0x0000) - not-present page<br /> [ 9890.526109] PGD 0 P4D 0<br /> [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI<br /> [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1<br /> [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018<br /> [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]<br /> [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211<br /> [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3<br /> All code<br /> ========<br /> 0: f7 e8 imul %eax<br /> 2: d5 (bad)<br /> 3: 93 xchg %eax,%ebx<br /> 4: 3e ea ds (bad)<br /> 6: 48 83 c4 28 add $0x28,%rsp<br /> a: 89 d8 mov %ebx,%eax<br /> c: 5b pop %rbx<br /> d: 41 5c pop %r12<br /> f: 41 5d pop %r13<br /> 11: 41 5e pop %r14<br /> 13: 41 5f pop %r15<br /> 15: 5d pop %rbp<br /> 16: c3 retq<br /> 17: cc int3<br /> 18: cc int3<br /> 19: cc int3<br /> 1a: cc int3<br /> 1b: 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax<br /> 22: ff<br /> 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax<br /> 2a:* 83 38 03 cmpl $0x3,(%rax)