In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: usb: schedule rx work after everything is set up
Right now it's possible to hit NULL pointer dereference in rtwrxfillrxstatus on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup.
The stack trace looks like this:
rtwrxfillrxstatus rtw8821cqueryrxdesc rtwusbrxhandler ... queuework rtwusbreadportcomplete ... usbsubmiturb rtwusbrxresubmit rtwusbinitrx rtwusb_probe
So while we do the async stuff rtwusbprobe continues and calls rtwregisterhw, which does all kinds of initialization (e.g. via ieee80211registerhw) that rtwrxfillrxstatus relies on.
Fix this by moving the first usbsubmiturb after everything is set up.
For me, this bug manifested as: [ 8.893177] rtw8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtwrxfillrxstatus because I'm using Larry's backport of rtw88 driver with the NULL checks in rtwrxfillrxstatus.