CVE-2025-37794

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Purge vif txq in ieee80211dostop()

After ieee80211dostop() SKB from vif's txq could still be processed. Indeed another concurrent vif scheduleandwaketxq call could cause those packets to be dequeued (see ieee80211handlewaketx_queue()) without checking the sdata current state.

Because vif.drv_priv is now cleared in this function, this could lead to driver crash.

For example in ath12k, ahvif is store in vif.drvpriv. Thus if ath12kmacoptx() is called after ieee80211dostop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below.

Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batmanadv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12kmacoptx+0x6cc/0x29b8 [ath12k] lr : ath12kmacoptx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12kmacoptx+0x6cc/0x29b8 [ath12k] (P) ieee80211handlewaketxqueue+0x16c/0x260 ieee80211queueskb+0xeec/0x1d20 ieee80211tx+0x200/0x2c8 ieee80211xmit+0x22c/0x338 __ieee80211subifstartxmit+0x7e8/0xc60 ieee80211subifstartxmit+0xc4/0xee0 __ieee80211subifstartxmit8023.isra.0+0x854/0x17a0 ieee80211subifstartxmit8023+0x124/0x488 devhardstart_xmit+0x160/0x5a8 __devqueuexmit+0x6f8/0x3120 brdevqueuepushxmit+0x120/0x4a8 __brforward+0xe4/0x2b0 deliverclone+0x5c/0xd0 brflood+0x398/0x580 brdevxmit+0x454/0x9f8 devhardstartxmit+0x160/0x5a8 __devqueuexmit+0x6f8/0x3120 ip6finishoutput2+0xc28/0x1b60 __ip6finishoutput+0x38c/0x638 ip6output+0x1b4/0x338 ip6localout+0x7c/0xa8 ip6sendskb+0x7c/0x1b0 ip6pushpendingframes+0x94/0xd0 rawv6sendmsg+0x1a98/0x2898 inetsendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64syssendto+0xc4/0x140 doel0svc+0x110/0x280 el0svc+0x20/0x60 el0t64synchandler+0x104/0x138 el0t64sync+0x154/0x158

To avoid that, empty vif's txq at ieee80211dostop() so no packet could be dequeued after ieee80211dostop() (new packets cannot be queued because SDATASTATERUNNING is cleared at this point).