{ "threat_severity" : "Moderate", "public_date" : "2025-02-27T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion", "id" : "2348573", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348573" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\nKASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\nCPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\nHardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\nWorkqueue: events cfg80211_conn_work [cfg80211]\nRIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\nCode: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\nRSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\nRDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\nRBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\nR13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\nCall Trace:\n\n? show_regs+0x61/0x73\n? __die_body+0x20/0x73\n? die_addr+0x4f/0x7b\n? exc_general_protection+0x191/0x1db\n? asm_exc_general_protection+0x27/0x30\n? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n? do_raw_spin_lock+0x75/0xdb\n? __pfx_do_raw_spin_lock+0x10/0x10\nrtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n? _raw_spin_unlock+0xe/0x24\n? __mutex_lock.constprop.0+0x40c/0x471\n? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n? __mutex_lock_slowpath+0x13/0x1f\n? mutex_lock+0xa2/0xdc\n? __pfx_mutex_lock+0x10/0x10\nrtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\nrtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\nieee80211_scan_cancel+0x468/0x4d0 [mac80211]\nieee80211_prep_connection+0x858/0x899 [mac80211]\nieee80211_mgd_auth+0xbea/0xdde [mac80211]\n? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n? cfg80211_find_elem+0x15/0x29 [cfg80211]\n? is_bss+0x1b7/0x1d7 [cfg80211]\nieee80211_auth+0x18/0x27 [mac80211]\ncfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\ncfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n? __kasan_check_read+0x11/0x1f\n? psi_group_change+0x8bc/0x944\n? __kasan_check_write+0x14/0x22\n? mutex_lock+0x8e/0xdc\n? __pfx_mutex_lock+0x10/0x10\n? __pfx___radix_tree_lookup+0x10/0x10\ncfg80211_conn_work+0x245/0x34d [cfg80211]\n? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n? update_cfs_rq_load_avg+0x3bc/0x3d7\n? sched_clock_noinstr+0x9/0x1a\n? sched_clock+0x10/0x24\n? sched_clock_cpu+0x7e/0x42e\n? newidle_balance+0x796/0x937\n? __pfx_sched_clock_cpu+0x10/0x10\n? __pfx_newidle_balance+0x10/0x10\n? __kasan_check_read+0x11/0x1f\n? psi_group_change+0x8bc/0x944\n? _raw_spin_unlock+0xe/0x24\n? raw_spin_rq_unlock+0x47/0x54\n? raw_spin_rq_unlock_irq+0x9/0x1f\n? finish_task_switch.isra.0+0x347/0x586\n? __schedule+0x27bf/0x2892\n? mutex_unlock+0x80/0xd0\n? do_raw_spin_lock+0x75/0xdb\n? __pfx___schedule+0x10/0x10\nprocess_scheduled_works+0x58c/0x821\nworker_thread+0x4c7/0x586\n? __kasan_check_read+0x11/0x1f\nkthread+0x285/0x294\n? __pfx_worker_thread+0x10/0x10\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x29/0x6f\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n", "A flaw was found in the linux kernel. A race between cancel_hw_scan and hw_scan completion may lead to compromised availability." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21729\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21729\nhttps://lore.kernel.org/linux-cve-announce/2025022648-CVE-2025-21729-24e3@gregkh/T" ], "name" : "CVE-2025-21729", "csaw" : false }