CVE-2025-21729

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: fix race between cancelhwscan and hw_scan completion

The rtwdev->scanning flag isn't protected by mutex originally, so cancelhwscan can pass the condition, but suddenly hwscan completion unset the flag and calls ieee80211scancompleted() that will free local->hwscanreq. Then, cancelhw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex.

KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211connwork [cfg80211] RIP: 0010:rtw89fwh2cscanoffloadbe+0xc33/0x13c3 [rtw89core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? showregs+0x61/0x73 ? diebody+0x20/0x73 ? dieaddr+0x4f/0x7b ? excgeneralprotection+0x191/0x1db ? asmexcgeneralprotection+0x27/0x30 ? rtw89fwh2cscanoffloadbe+0xc33/0x13c3 [rtw89core] ? rtw89fwh2cscanoffloadbe+0x458/0x13c3 [rtw89core] ? _pfxrtw89fwh2cscanoffloadbe+0x10/0x10 [rtw89core] ? dorawspinlock+0x75/0xdb ? _pfxdorawspinlock+0x10/0x10 rtw89hwscanoffload+0xb5e/0xbf7 [rtw89core] ? rawspinunlock+0xe/0x24 ? _mutexlock.constprop.0+0x40c/0x471 ? _pfxrtw89hwscanoffload+0x10/0x10 [rtw89core] ? _mutexlockslowpath+0x13/0x1f ? mutexlock+0xa2/0xdc ? _pfxmutexlock+0x10/0x10 rtw89hwscanabort+0x58/0xb7 [rtw89core] rtw89opscancelhwscan+0x120/0x13b [rtw89core] ieee80211scancancel+0x468/0x4d0 [mac80211] ieee80211prepconnection+0x858/0x899 [mac80211] ieee80211mgdauth+0xbea/0xdde [mac80211] ? _pfxieee80211mgdauth+0x10/0x10 [mac80211] ? cfg80211findelem+0x15/0x29 [cfg80211] ? isbss+0x1b7/0x1d7 [cfg80211] ieee80211auth+0x18/0x27 [mac80211] cfg80211mlmeauth+0x3bb/0x3e7 [cfg80211] cfg80211conndowork+0x410/0xb81 [cfg80211] ? _pfxcfg80211conndowork+0x10/0x10 [cfg80211] ? _kasancheckread+0x11/0x1f ? psigroupchange+0x8bc/0x944 ? _kasancheckwrite+0x14/0x22 ? mutexlock+0x8e/0xdc ? _pfxmutexlock+0x10/0x10 ? _pfxradixtreelookup+0x10/0x10 cfg80211connwork+0x245/0x34d [cfg80211] ? pfxcfg80211connwork+0x10/0x10 [cfg80211] ? updatecfsrqloadavg+0x3bc/0x3d7 ? schedclocknoinstr+0x9/0x1a ? schedclock+0x10/0x24 ? schedclockcpu+0x7e/0x42e ? newidlebalance+0x796/0x937 ? _pfxschedclockcpu+0x10/0x10 ? _pfxnewidlebalance+0x10/0x10 ? _kasancheckread+0x11/0x1f ? psigroupchange+0x8bc/0x944 ? rawspinunlock+0xe/0x24 ? rawspinrqunlock+0x47/0x54 ? rawspinrqunlockirq+0x9/0x1f ? finishtaskswitch.isra.0+0x347/0x586 ? _schedule+0x27bf/0x2892 ? mutexunlock+0x80/0xd0 ? dorawspinlock+0x75/0xdb ? _pfxschedule+0x10/0x10 processscheduledworks+0x58c/0x821 workerthread+0x4c7/0x586 ? _kasancheckread+0x11/0x1f kthread+0x285/0x294 ? _pfxworkerthread+0x10/0x10 ? _pfxkthread+0x10/0x10 retfromfork+0x29/0x6f ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1b/0x30 </TASK>