CVE-2025-40321

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode<br /> <br /> Currently, whenever there is a need to transmit an Action frame,<br /> the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to<br /> firmware. The P2P interfaces were available when wpa_supplicant is managing<br /> the wlan interface.<br /> <br /> However, the P2P interfaces are not created/initialized when only hostapd<br /> is managing the wlan interface. And if hostapd receives an ANQP Query REQ<br /> Action frame even from an un-associated STA, the brcmfmac driver tries<br /> to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.<br /> This NULL pointer dereferencing triggers a driver crash.<br /> <br /> [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual<br /> address 0000000000000000<br /> [...]<br /> [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)<br /> [...]<br /> [ 1417.075653] Call trace:<br /> [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]<br /> [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]<br /> [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]<br /> [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]<br /> [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158<br /> [ 1417.076302] genl_rcv_msg+0x220/0x2a0<br /> [ 1417.076317] netlink_rcv_skb+0x68/0x140<br /> [ 1417.076330] genl_rcv+0x40/0x60<br /> [ 1417.076343] netlink_unicast+0x330/0x3b8<br /> [ 1417.076357] netlink_sendmsg+0x19c/0x3f8<br /> [ 1417.076370] __sock_sendmsg+0x64/0xc0<br /> [ 1417.076391] ____sys_sendmsg+0x268/0x2a0<br /> [ 1417.076408] ___sys_sendmsg+0xb8/0x118<br /> [ 1417.076427] __sys_sendmsg+0x90/0xf8<br /> [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40<br /> [ 1417.076465] invoke_syscall+0x50/0x120<br /> [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0<br /> [ 1417.076506] do_el0_svc+0x24/0x38<br /> [ 1417.076525] el0_svc+0x30/0x100<br /> [ 1417.076548] el0t_64_sync_handler+0x100/0x130<br /> [ 1417.076569] el0t_64_sync+0x190/0x198<br /> [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)<br /> <br /> Fix this, by always using the vif corresponding to the wdev on which the<br /> Action frame Transmission request was initiated by the userspace. This way,<br /> even if P2P vif is not available, the IOVAR is sent to firmware on AP vif<br /> and the ANQP Query RESP Action frame is transmitted without crashing the<br /> driver.<br /> <br /> Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()<br /> to brcmf_p2p_attach(). Because the former function would not get executed<br /> when only hostapd is managing wlan interface, and it is not safe to do<br /> reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior<br /> init_completion().<br /> <br /> And in the brcmf_p2p_tx_action_frame() function, the condition check for<br /> P2P Presence response frame is not needed, since the wpa_supplicant is<br /> properly sending the P2P Presense Response frame on the P2P-GO vif instead<br /> of the P2P-Device vif.<br /> <br /> [Cc stable]