Linux Kernel mac80211 Component Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's mac80211 component. This issue arises in versions of the kernel through 6.13.0-g633f875b8f1e. The vulnerability occurs because, after the function ieee80211_do_stop() is called, packets from a virtual interface's transmission queue can still be processed. If another concurrent call schedules and wakes the transmission queue, those packets may be dequeued without verifying the current state of the interface. This oversight can lead to a crash in the device driver. For instance, in the ath12k driver, a critical reference can become null, causing a dereference error and triggering a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic due to a null pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by activating a virtual interface and then manually stopping it using the ieee80211_do_stop() function. After the interface has been stopped, another function can be called to wake the transmission queue, which will dequeue packets from the interface's transmission queue. If the ath12k driver is in use, this will cause a null pointer dereference, as the driver's private data will have been cleared, leading to a kernel panic.