CVE-2025-38284 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de
https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: <TASK> rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
Title		wifi: rtw89: pci: configure manual DAC mode via PCI config API only
References		https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38284", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.000Z", "datePublished": "2025-07-10T07:42:01.667Z", "dateUpdated": "2025-07-10T07:42:01.667Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-10T07:42:01.667Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\n\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn't set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\n\nWith NULL mmap address, kernel throws trace:\n\n BUG: unable to handle page fault for address: 0000000000001090\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\n RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\n RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\n RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\n RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\n R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\n FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\n Call Trace:\n <TASK>\n rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\n rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\n rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n ? __pfx___device_attach_driver+0x10/0x10\n ? __pfx___device_attach_driver+0x10/0x10\n local_pci_probe+0x47/0xa0\n pci_call_probe+0x5d/0x190\n pci_device_probe+0xa7/0x160\n really_probe+0xf9/0x370\n ? pm_runtime_barrier+0x55/0xa0\n __driver_probe_device+0x8c/0x140\n driver_probe_device+0x24/0xd0\n __device_attach_driver+0xcd/0x170\n bus_for_each_drv+0x99/0x100\n __device_attach+0xb4/0x1d0\n device_attach+0x10/0x20\n pci_bus_add_device+0x59/0x90\n pci_bus_add_devices+0x31/0x80\n pciehp_configure_device+0xaa/0x170\n pciehp_enable_slot+0xd6/0x240\n pciehp_handle_presence_or_link_change+0xf1/0x180\n pciehp_ist+0x162/0x1c0\n irq_thread_fn+0x24/0x70\n irq_thread+0xef/0x1c0\n ? __pfx_irq_thread_fn+0x10/0x10\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0xfc/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x47/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw89/pci.c"], "versions": [{"version": "1fd4b3fe52efd5ad1647966f619c10988e7a4457", "lessThan": "e1e0f046041474004dc6ebce5ce1d3e86556291d", "status": "affected", "versionType": "git"}, {"version": "1fd4b3fe52efd5ad1647966f619c10988e7a4457", "lessThan": "a70cf04b08f44f41bce14659aa7012674b15d9de", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw89/pci.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.3", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.15.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.16-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d"}, {"url": "https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de"}], "title": "wifi: rtw89: pci: configure manual DAC mode via PCI config API only", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\n\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn't set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\n\nWith NULL mmap address, kernel throws trace:\n\n BUG: unable to handle page fault for address: 0000000000001090\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\n RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\n RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\n RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\n RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\n R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\n FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\n Call Trace:\n <TASK>\n rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\n rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\n rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n ? __pfx___device_attach_driver+0x10/0x10\n ? __pfx___device_attach_driver+0x10/0x10\n local_pci_probe+0x47/0xa0\n pci_call_probe+0x5d/0x190\n pci_device_probe+0xa7/0x160\n really_probe+0xf9/0x370\n ? pm_runtime_barrier+0x55/0xa0\n __driver_probe_device+0x8c/0x140\n driver_probe_device+0x24/0xd0\n __device_attach_driver+0xcd/0x170\n bus_for_each_drv+0x99/0x100\n __device_attach+0xb4/0x1d0\n device_attach+0x10/0x20\n pci_bus_add_device+0x59/0x90\n pci_bus_add_devices+0x31/0x80\n pciehp_configure_device+0xaa/0x170\n pciehp_enable_slot+0xd6/0x240\n pciehp_handle_presence_or_link_change+0xf1/0x180\n pciehp_ist+0x162/0x1c0\n irq_thread_fn+0x24/0x70\n irq_thread+0xef/0x1c0\n ? __pfx_irq_thread_fn+0x10/0x10\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0xfc/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x47/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtw89: pci: configurar el modo DAC manual solo mediante la API de configuraci\u00f3n PCI. Para admitir DMA de 36 bits, configure el bit propietario del chip mediante la API de configuraci\u00f3n PCI o la interfaz DBI del chip. Sin embargo, el mmap del dispositivo PCI a\u00fan no est\u00e1 configurado y el DBI tampoco es accesible mediante mmap. Por lo tanto, solo si se puede acceder al bit mediante la API de configuraci\u00f3n PCI, el chip admite DMA de 36 bits. De lo contrario, se recurre al DMA de 32 bits. Con una direcci\u00f3n mmap NULL, el n\u00facleo genera el siguiente seguimiento: ERROR: no se puede controlar el error de p\u00e1gina para la direcci\u00f3n: 0000000000001090 #PF: acceso de escritura del supervisor en modo n\u00facleo #PF: error_code(0x0002) - p\u00e1gina no presente PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 "}], "id": "CVE-2025-38284", "lastModified": "2025-07-10T13:17:30.017", "metrics": {}, "published": "2025-07-10T08:15:26.857", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object