Linux Kernel NULL Pointer Dereference Vulnerability in NAPI RX Polling for MTK T7XX

A vulnerability in the Linux kernel's handling of NAPI RX polling for the MTK T7XX driver can lead to a NULL pointer dereference. This issue arises when the driver processes polling requests and an invalid network device is used, potentially causing a kernel panic. The problem occurs because the network device may have been released by the delink logic triggered by a disconnect operation on the user plane, yet the driver continues to use the invalid reference in polling.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by using the MTK T7XX driver in the Linux kernel. When the driver handles NAPI RX polling requests, the delink logic may release the network device if a disconnect operation occurs on the user plane. However, the driver can still use the invalid network device reference in polling, leading to a NULL pointer dereference and a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commits that resolve this issue are available in the Linux kernel Git repository.