Linux Kernel NULL Pointer Dereference Vulnerability in rtw89 PCI Wi-Fi Driver

A vulnerability in the Linux kernel's rtw89 PCI Wi-Fi driver can lead to a NULL pointer dereference. This issue arises when the driver attempts to configure the chip for 36-bit Direct Memory Access (DMA) via the PCI configuration API. If the PCI device's memory mapping (mmap) is not properly set, the driver cannot access the necessary proprietary bits to support 36-bit DMA, forcing a fallback to 32-bit DMA. The vulnerability manifests as a page fault error, with the kernel unable to handle a supervisor write access in kernel mode, leading to a crash.

Impact

Exploitation of this vulnerability causes a kernel crash due to a page fault error, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by loading the rtw89 PCI Wi-Fi driver module into the Linux kernel. When the driver attempts to configure 36-bit DMA support via the PCI configuration API, it will encounter a NULL pointer dereference. This occurs because the PCI device's memory mapping is not set, and the necessary proprietary bits are inaccessible, causing the driver to fail and the kernel to crash.