CVE-2026-46092
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: check for PCI upstream bridge existence
pci_upstream_bridge() returns NULL if the device is on a root bus. If 8821CE is installed in the system with such a PCI topology, the probing routine will crash. This has probably been unnoticed as 8821CE is mostly supplied in laptops where there is a PCI-to-PCI bridge located upstream from the device. However the card might be installed on a system with different configuration.
Check if the bridge does exist for the specific workaround to be applied.
Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.
Affected products
2Patches
2eb101d2abdccwifi: rtw88: check for PCI upstream bridge existence
1 file changed · +2 −2
drivers/net/wireless/realtek/rtw88/pci.c+2 −2 modifieddiff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c index 56b16186d3aa4b..ec0a45bfb670eb 100644 --- a/drivers/net/wireless/realtek/rtw88/pci.c +++ b/drivers/net/wireless/realtek/rtw88/pci.c @@ -1804,7 +1804,8 @@ int rtw_pci_probe(struct pci_dev *pdev, } /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */ - if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL) + if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && + bridge && bridge->vendor == PCI_VENDOR_ID_INTEL) rtwpci->rx_no_aspm = true; rtw_pci_phy_cfg(rtwdev); -- cgit 1.3-korg
eb101d2abdccwifi: rtw88: check for PCI upstream bridge existence
1 file changed · +2 −2
drivers/net/wireless/realtek/rtw88/pci.c+2 −2 modifieddiff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c index 56b16186d3aa4b..ec0a45bfb670eb 100644 --- a/drivers/net/wireless/realtek/rtw88/pci.c +++ b/drivers/net/wireless/realtek/rtw88/pci.c @@ -1804,7 +1804,8 @@ int rtw_pci_probe(struct pci_dev *pdev, } /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */ - if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL) + if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && + bridge && bridge->vendor == PCI_VENDOR_ID_INTEL) rtwpci->rx_no_aspm = true; rtw_pci_phy_cfg(rtwdev); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL-pointer check on the return value of pci_upstream_bridge() before dereferencing the bridge pointer."
Attack vector
An attacker who can cause the 8821CE device to be probed on a PCI root bus (where no upstream PCI-to-PCI bridge exists) will trigger a NULL-pointer dereference crash. The `pci_upstream_bridge()` function returns NULL for devices on a root bus, and the original code did not guard against that NULL before accessing `bridge->vendor`. This can occur when the card is installed in a system with a PCI topology that lacks an upstream bridge, such as certain desktop or embedded configurations.
Affected code
The vulnerability is in `drivers/net/wireless/realtek/rtw88/pci.c` in the `rtw_pci_probe()` function. The code calls `pci_upstream_bridge()` to obtain a `bridge` pointer and then unconditionally dereferences `bridge->vendor` without first checking whether `bridge` is NULL.
What the fix does
The patch adds a `bridge &&` guard to the existing condition so that `bridge->vendor` is only evaluated when `bridge` is non-NULL. This prevents the NULL-pointer dereference that occurred when `pci_upstream_bridge()` returns NULL for devices on a root bus. The workaround to disable PCIe ASPM during NAPI poll for 8821CE is now only applied when an upstream Intel bridge actually exists.
Preconditions
- configThe 8821CE wireless card must be installed on a PCI root bus with no upstream PCI-to-PCI bridge
- inputThe rtw_pci_probe() function must execute, which occurs during normal driver probing
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.