CVE-2025-22119

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: init wiphy_work before allocating rfkill fails

syzbort reported a uninitialize wiphyworklock in cfg80211devfree. [1]

After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211devfree to access the uninitialized wiphy_work related data.

Move the initialization of wiphy_work to before rfkill initialization to avoid this issue.

[1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 assignlockkey kernel/locking/lockdep.c:983 [inline] registerlockclass+0xc39/0x1240 kernel/locking/lockdep.c:1297 _lockacquire+0x135/0x3c40 kernel/locking/lockdep.c:5103 lockacquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851 _rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] rawspinlockirqsave+0x3a/0x60 kernel/locking/spinlock.c:162 cfg80211devfree+0x30/0x3d0 net/wireless/core.c:1196 devicerelease+0xa1/0x240 drivers/base/core.c:2568 kobjectcleanup lib/kobject.c:689 [inline] kobjectrelease lib/kobject.c:720 [inline] krefput include/linux/kref.h:65 [inline] kobjectput+0x1e4/0x5a0 lib/kobject.c:737 putdevice+0x1f/0x30 drivers/base/core.c:3774 wiphyfree net/wireless/core.c:1224 [inline] wiphynewnm+0x1c1f/0x2160 net/wireless/core.c:562 ieee80211allochwnm+0x1b7a/0x2260 net/mac80211/main.c:835 mac80211hwsimnewradio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211hwsim.c:5185 hwsimnewradionl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211hwsim.c:6242 genlfamilyrcvmsgdoit+0x202/0x2f0 net/netlink/genetlink.c:1115 genlfamilyrcvmsg net/netlink/genetlink.c:1195 [inline] genlrcvmsg+0x565/0x800 net/netlink/genetlink.c:1210 netlinkrcvskb+0x16b/0x440 net/netlink/afnetlink.c:2533 genlrcv+0x28/0x40 net/netlink/genetlink.c:1219 netlinkunicastkernel net/netlink/afnetlink.c:1312 [inline] netlinkunicast+0x53c/0x7f0 net/netlink/afnetlink.c:1338 netlinksendmsg+0x8b8/0xd70 net/netlink/afnetlink.c:1882 socksendmsgnosec net/socket.c:718 [inline] _socksendmsg net/socket.c:733 [inline] syssendmsg+0xaaf/0xc90 net/socket.c:2573 _syssendmsg+0x135/0x1e0 net/socket.c:2627 _syssendmsg+0x16e/0x220 net/socket.c:2659 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83

Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029