CVE-2025-38505

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mwifiex: discard erroneous disassoc frames on STA interface<br /> <br /> When operating in concurrent STA/AP mode with host MLME enabled,<br /> the firmware incorrectly sends disassociation frames to the STA<br /> interface when clients disconnect from the AP interface.<br /> This causes kernel warnings as the STA interface processes<br /> disconnect events that don&amp;#39;t apply to it:<br /> <br /> [ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211]<br /> [ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us<br /> [ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT<br /> [ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT)<br /> [ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex]<br /> [ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211]<br /> [ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211]<br /> [ 1303.370221] sp : ffff800083053be0<br /> [ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000<br /> [ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae<br /> [ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008<br /> [ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006<br /> [ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048<br /> [ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000<br /> [ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300<br /> [ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002<br /> [ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186<br /> [ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de<br /> [ 1303.446221] Call trace:<br /> [ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P)<br /> [ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211]<br /> [ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex]<br /> [ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex]<br /> [ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex]<br /> [ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex]<br /> [ 1303.483734] process_one_work+0x14c/0x28c<br /> [ 1303.487845] worker_thread+0x2cc/0x3d4<br /> [ 1303.491680] kthread+0x12c/0x208<br /> [ 1303.495014] ret_from_fork+0x10/0x20<br /> <br /> Add validation in the STA receive path to verify that disassoc/deauth<br /> frames originate from the connected AP. Frames that fail this check<br /> are discarded early, preventing them from reaching the MLME layer and<br /> triggering WARN_ON().<br /> <br /> This filtering logic is similar with that used in the<br /> ieee80211_rx_mgmt_disassoc() function in mac80211, which drops<br /> disassoc frames that don&amp;#39;t match the current BSSID<br /> (!ether_addr_equal(mgmt-&gt;bssid, sdata-&gt;vif.cfg.ap_addr)), ensuring<br /> only relevant frames are processed.<br /> <br /> Tested on:<br /> - 8997 with FW 16.68.1.p197