CVE-2024-46760

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: usb: schedule rx work after everything is set up<br /> <br /> Right now it&amp;#39;s possible to hit NULL pointer dereference in<br /> rtw_rx_fill_rx_status on hw object and/or its fields because<br /> initialization routine can start getting USB replies before<br /> rtw_dev is fully setup.<br /> <br /> The stack trace looks like this:<br /> <br /> rtw_rx_fill_rx_status<br /> rtw8821c_query_rx_desc<br /> rtw_usb_rx_handler<br /> ...<br /> queue_work<br /> rtw_usb_read_port_complete<br /> ...<br /> usb_submit_urb<br /> rtw_usb_rx_resubmit<br /> rtw_usb_init_rx<br /> rtw_usb_probe<br /> <br /> So while we do the async stuff rtw_usb_probe continues and calls<br /> rtw_register_hw, which does all kinds of initialization (e.g.<br /> via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.<br /> <br /> Fix this by moving the first usb_submit_urb after everything<br /> is set up.<br /> <br /> For me, this bug manifested as:<br /> [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped<br /> [ 8.910904] rtw_8821cu 1-1:1.2: hw-&gt;conf.chandef.chan NULL in rtw_rx_fill_rx_status<br /> because I&amp;#39;m using Larry&amp;#39;s backport of rtw88 driver with the NULL<br /> checks in rtw_rx_fill_rx_status.