CVE-2025-21744

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()<br /> <br /> On removal of the device or unloading of the kernel module a potential NULL<br /> pointer dereference occurs.<br /> <br /> The following sequence deletes the interface:<br /> <br /> brcmf_detach()<br /> brcmf_remove_interface()<br /> brcmf_del_if()<br /> <br /> Inside the brcmf_del_if() function the drvr-&gt;if2bss[ifidx] is updated to<br /> BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.<br /> <br /> After brcmf_remove_interface() call the brcmf_proto_detach() function is<br /> called providing the following sequence:<br /> <br /> brcmf_detach()<br /> brcmf_proto_detach()<br /> brcmf_proto_msgbuf_detach()<br /> brcmf_flowring_detach()<br /> brcmf_msgbuf_delete_flowring()<br /> brcmf_msgbuf_remove_flowring()<br /> brcmf_flowring_delete()<br /> brcmf_get_ifp()<br /> brcmf_txfinalize()<br /> <br /> Since brcmf_get_ip() can and actually will return NULL in this case the<br /> call to brcmf_txfinalize() will result in a NULL pointer dereference inside<br /> brcmf_txfinalize() when trying to update ifp-&gt;ndev-&gt;stats.tx_errors.<br /> <br /> This will only happen if a flowring still has an skb.<br /> <br /> Although the NULL pointer dereference has only been seen when trying to<br /> update the tx statistic, all other uses of the ifp pointer have been<br /> guarded as well with an early return if ifp is NULL.