CVE-2025-22119

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: init wiphy_work before allocating rfkill fails

syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]

After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211_dev_free to access the uninitialized wiphy_work related data.

Move the initialization of wiphy_work to before rfkill initialization to avoid this issue.

[1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 assign_lock_key kernel/locking/lockdep.c:983 [inline] register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297 __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196 device_release+0xa1/0x240 drivers/base/core.c:2568 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3774 wiphy_free net/wireless/core.c:1224 [inline] wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562 ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835 mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185 hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:733 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627 __sys_sendmsg+0x16e/0x220 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83

Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8930a3e1568cf534f86c8ed2def817c6d0528fc1 < 7e6040853f5b5f067a18c52286e676bc298fe6a2affected
LinuxLinux0272d4af7f92997541d8bbf4c51918b93ded6ee2 < b679fe84cd5cc6f3481b7131fd28676191ad2615affected
LinuxLinux75d262ad3c36d52852d764588fcd887f0fcd9138 < eeacfbab984200dcdcd68fcf4c6e91e2c6b38792affected
LinuxLinuxa5158d67bff06cb6fea31be39aeb319fd908ed8e < 60606efbf52582c0ab93e99789fddced6b47297aaffected
LinuxLinux72d520476a2fab6f3489e8388ab524985d6c4b90 < 2617f60c3613ef105b8db2d514d2cac2a1836f7daffected
LinuxLinux72d520476a2fab6f3489e8388ab524985d6c4b90 < fc88dee89d7b63eeb17699393eb659aadf9d9b7caffected
LinuxLinuxdea22de162058216a90f2706f0d0b36f0ff309fdaffected
LinuxLinux6.1.132 < 6.1.142affected
LinuxLinux6.6.84 < 6.6.95affected
LinuxLinux6.12.20 < 6.12.35affected
LinuxLinux6.13.8 < 6.14affected
LinuxLinux6.14affected
LinuxLinux0 < 6.14unaffected
LinuxLinux6.1.142 <= 6.1.*unaffected
LinuxLinux6.6.95 <= 6.6.*unaffected
LinuxLinux6.12.35 <= 6.12.*unaffected
LinuxLinux6.14.2 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References