CVE-2025-38604

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl818x: Kill URBs before clearing tx status queue<br /> <br /> In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing<br /> b_tx_status.queue. This change prevents callbacks from using already freed<br /> skb due to anchor was not killed before freeing such skb.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000080<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015<br /> RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]<br /> Call Trace:<br /> <br /> rtl8187_tx_cb+0x116/0x150 [rtl8187]<br /> __usb_hcd_giveback_urb+0x9d/0x120<br /> usb_giveback_urb_bh+0xbb/0x140<br /> process_one_work+0x19b/0x3c0<br /> bh_worker+0x1a7/0x210<br /> tasklet_action+0x10/0x30<br /> handle_softirqs+0xf0/0x340<br /> __irq_exit_rcu+0xcd/0xf0<br /> common_interrupt+0x85/0xa0<br /> <br /> <br /> Tested on RTL8187BvE device.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.