CVE-2025-38604

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl818x: Kill URBs before clearing tx status queue

In rtl8187stop() move the call of usbkillanchoredurbs() before clearing btxstatus.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb.

BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211txstatusirqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187txcb+0x116/0x150 [rtl8187] _usbhcdgivebackurb+0x9d/0x120 usbgivebackurbbh+0xbb/0x140 processonework+0x19b/0x3c0 bhworker+0x1a7/0x210 taskletaction+0x10/0x30 handlesoftirqs+0xf0/0x340 _irqexitrcu+0xcd/0xf0 commoninterrupt+0x85/0xa0 </IRQ>

Tested on RTL8187BvE device.

Found by Linux Verification Center (linuxtesting.org) with SVACE.