CVE-2025-21729
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion<br />
<br />
The rtwdev->scanning flag isn&#39;t protected by mutex originally, so<br />
cancel_hw_scan can pass the condition, but suddenly hw_scan completion<br />
unset the flag and calls ieee80211_scan_completed() that will free<br />
local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and<br />
use-after-free. Fix it by moving the check condition to where<br />
protected by mutex.<br />
<br />
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]<br />
CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE<br />
Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019<br />
Workqueue: events cfg80211_conn_work [cfg80211]<br />
RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]<br />
Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d<br />
RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206<br />
RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001<br />
RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089<br />
RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000<br />
R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960<br />
R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000<br />
FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0<br />
Call Trace:<br />
<br />
? show_regs+0x61/0x73<br />
? __die_body+0x20/0x73<br />
? die_addr+0x4f/0x7b<br />
? exc_general_protection+0x191/0x1db<br />
? asm_exc_general_protection+0x27/0x30<br />
? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]<br />
? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]<br />
? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]<br />
? do_raw_spin_lock+0x75/0xdb<br />
? __pfx_do_raw_spin_lock+0x10/0x10<br />
rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]<br />
? _raw_spin_unlock+0xe/0x24<br />
? __mutex_lock.constprop.0+0x40c/0x471<br />
? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]<br />
? __mutex_lock_slowpath+0x13/0x1f<br />
? mutex_lock+0xa2/0xdc<br />
? __pfx_mutex_lock+0x10/0x10<br />
rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]<br />
rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]<br />
ieee80211_scan_cancel+0x468/0x4d0 [mac80211]<br />
ieee80211_prep_connection+0x858/0x899 [mac80211]<br />
ieee80211_mgd_auth+0xbea/0xdde [mac80211]<br />
? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]<br />
? cfg80211_find_elem+0x15/0x29 [cfg80211]<br />
? is_bss+0x1b7/0x1d7 [cfg80211]<br />
ieee80211_auth+0x18/0x27 [mac80211]<br />
cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]<br />
cfg80211_conn_do_work+0x410/0xb81 [cfg80211]<br />
? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]<br />
? __kasan_check_read+0x11/0x1f<br />
? psi_group_change+0x8bc/0x944<br />
? __kasan_check_write+0x14/0x22<br />
? mutex_lock+0x8e/0xdc<br />
? __pfx_mutex_lock+0x10/0x10<br />
? __pfx___radix_tree_lookup+0x10/0x10<br />
cfg80211_conn_work+0x245/0x34d [cfg80211]<br />
? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]<br />
? update_cfs_rq_load_avg+0x3bc/0x3d7<br />
? sched_clock_noinstr+0x9/0x1a<br />
? sched_clock+0x10/0x24<br />
? sched_clock_cpu+0x7e/0x42e<br />
? newidle_balance+0x796/0x937<br />
? __pfx_sched_clock_cpu+0x10/0x10<br />
? __pfx_newidle_balance+0x10/0x10<br />
? __kasan_check_read+0x11/0x1f<br />
? psi_group_change+0x8bc/0x944<br />
? _raw_spin_unlock+0xe/0x24<br />
? raw_spin_rq_unlock+0x47/0x54<br />
? raw_spin_rq_unlock_irq+0x9/0x1f<br />
? finish_task_switch.isra.0+0x347/0x586<br />
? __schedule+0x27bf/0x2892<br />
? mutex_unlock+0x80/0xd0<br />
? do_raw_spin_lock+0x75/0xdb<br />
? __pfx___schedule+0x10/0x10<br />
process_scheduled_works+0x58c/0x821<br />
worker_thread+0x4c7/0x586<br />
? __kasan_check_read+0x11/0x1f<br />
kthread+0x285/0x294<br />
? __pfx_worker_thread+0x10/0x10<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x29/0x6f<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork_asm+0x1b/0x30<br />
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18 (including) | 6.12.13 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page