fkie_cve-2025-38643
Vulnerability from fkie_nvd
Published
2025-08-22 16:15
Modified
2025-08-22 18:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()\n\nCallers of wdev_chandef() must hold the wiphy mutex.\n\nBut the worker cfg80211_propagate_cac_done_wk() never takes the lock.\nWhich triggers the warning below with the mesh_peer_connected_dfs\ntest from hostapd and not (yet) released mac80211 code changes:\n\nWARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165\nModules linked in:\nCPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf\nWorkqueue: cfg80211 cfg80211_propagate_cac_done_wk\nStack:\n 00000000 00000001 ffffff00 6093267c\n 00000000 6002ec30 6d577c50 60037608\n 00000000 67e8d108 6063717b 00000000\nCall Trace:\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c6003c2b3\u003e] show_stack+0x10e/0x11a\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c60037608\u003e] dump_stack_lvl+0x71/0xb8\n [\u003c6063717b\u003e] ? wdev_chandef+0x60/0x165\n [\u003c6003766d\u003e] dump_stack+0x1e/0x20\n [\u003c6005d1b7\u003e] __warn+0x101/0x20f\n [\u003c6005d3a8\u003e] warn_slowpath_fmt+0xe3/0x15d\n [\u003c600b0c5c\u003e] ? mark_lock.part.0+0x0/0x4ec\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c600b11a2\u003e] ? mark_held_locks+0x5a/0x6e\n [\u003c6005d2c5\u003e] ? warn_slowpath_fmt+0x0/0x15d\n [\u003c60052e53\u003e] ? unblock_signals+0x3a/0xe7\n [\u003c60052f2d\u003e] ? um_set_signals+0x2d/0x43\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c607508b2\u003e] ? lock_is_held_type+0x207/0x21f\n [\u003c6063717b\u003e] wdev_chandef+0x60/0x165\n [\u003c605f89b4\u003e] regulatory_propagate_dfs_state+0x247/0x43f\n [\u003c60052f00\u003e] ? um_set_signals+0x0/0x43\n [\u003c605e6bfd\u003e] cfg80211_propagate_cac_done_wk+0x3a/0x4a\n [\u003c6007e460\u003e] process_scheduled_works+0x3bc/0x60e\n [\u003c6007d0ec\u003e] ? move_linked_works+0x4d/0x81\n [\u003c6007d120\u003e] ? assign_work+0x0/0xaa\n [\u003c6007f81f\u003e] worker_thread+0x220/0x2dc\n [\u003c600786ef\u003e] ? set_pf_worker+0x0/0x57\n [\u003c60087c96\u003e] ? to_kthread+0x0/0x43\n [\u003c6008ab3c\u003e] kthread+0x2d3/0x2e2\n [\u003c6007f5ff\u003e] ? worker_thread+0x0/0x2dc\n [\u003c6006c05b\u003e] ? calculate_sigpending+0x0/0x56\n [\u003c6003b37d\u003e] new_thread_handler+0x4a/0x64\nirq event stamp: 614611\nhardirqs last  enabled at (614621): [\u003c00000000600bc96b\u003e] __up_console_sem+0x82/0xaf\nhardirqs last disabled at (614630): [\u003c00000000600bc92c\u003e] __up_console_sem+0x43/0xaf\nsoftirqs last  enabled at (614268): [\u003c00000000606c55c6\u003e] __ieee80211_wake_queue+0x933/0x985\nsoftirqs last disabled at (614266): [\u003c00000000606c52d6\u003e] __ieee80211_wake_queue+0x643/0x985"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: cfg80211: Se ha a\u00f1adido un bloqueo faltante en cfg80211_check_and_end_cac(). Quienes llaman a wdev_chandef() deben mantener el mutex de wiphy. Sin embargo, el trabajador cfg80211_propagate_cac_done_wk() nunca asume el bloqueo. Lo que activa la advertencia a continuaci\u00f3n con la prueba mesh_peer_connected_dfs de hostapd y los cambios de c\u00f3digo mac80211 no publicados (a\u00fan): ADVERTENCIA: CPU: 0 PID: 495 en net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 M\u00f3dulos vinculados: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 No contaminado 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Cola de trabajo: cfg80211 cfg80211_propagate_cac_done_wk Pila: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Rastreo de llamadas: [\u0026lt;6002ec30\u0026gt;] ? _printk+0x0/0x98 [\u0026lt;6003c2b3\u0026gt;] show_stack+0x10e/0x11a [\u0026lt;6002ec30\u0026gt;] ? _printk+0x0/0x98 [\u0026lt;60037608\u0026gt;] dump_stack_lvl+0x71/0xb8 [\u0026lt;6063717b\u0026gt;] ? __warn+0x101/0x20f [\u0026lt;6005d3a8\u0026gt;] warn_slowpath_fmt+0xe3/0x15d [\u0026lt;600b0c5c\u0026gt;] ? mark_lock.part.0+0x0/0x4ec [\u0026lt;60751191\u0026gt;] ? __this_cpu_preempt_check+0x0/0x16 [\u0026lt;600b11a2\u0026gt;] ? mark_held_locks+0x5a/0x6e [\u0026lt;6005d2c5\u0026gt;] ? warn_slowpath_fmt+0x0/0x15d [\u0026lt;60052e53\u0026gt;] ? unblock_signals+0x3a/0xe7 [\u0026lt;60052f2d\u0026gt;] ? um_set_signals+0x2d/0x43 [\u0026lt;60751191\u0026gt;] ? __this_cpu_preempt_check+0x0/0x16 [\u0026lt;607508b2\u0026gt;] ? lock_is_held_type+0x207/0x21f [\u0026lt;6063717b\u0026gt;] wdev_chandef+0x60/0x165 [\u0026lt;605f89b4\u0026gt;] regulatory_propagate_dfs_state+0x247/0x43f [\u0026lt;60052f00\u0026gt;] ? um_set_signals+0x0/0x43 [\u0026lt;605e6bfd\u0026gt;] cfg80211_propagate_cac_done_wk+0x3a/0x4a [\u0026lt;6007e460\u0026gt;] proceso_trabajos_programados+0x3bc/0x60e [\u0026lt;6007d0ec\u0026gt;] ? mover_trabajos_vinculados+0x4d/0x81 [\u0026lt;6007d120\u0026gt;] ? asignar_trabajo+0x0/0xaa [\u0026lt;6007f81f\u0026gt;] subproceso_trabajador+0x220/0x2dc [\u0026lt;600786ef\u0026gt;] ? establecer_pf_trabajador+0x0/0x57 [\u0026lt;60087c96\u0026gt;] ? hilo_trabajador+0x0/0x2dc [\u0026lt;6006c05b\u0026gt;] ? calculate_sigpending+0x0/0x56 [\u0026lt;6003b37d\u0026gt;] new_thread_handler+0x4a/0x64 marca de evento de irq: 614611 hardirqs habilitados por \u00faltima vez en (614621): [\u0026lt;00000000600bc96b\u0026gt;] __up_console_sem+0x82/0xaf hardirqs deshabilitados por \u00faltima vez en (614630): [\u0026lt;00000000600bc92c\u0026gt;] __up_console_sem+0x43/0xaf softirqs habilitados por \u00faltima vez en (614268): [\u0026lt;00000000606c55c6\u0026gt;] __ieee80211_wake_queue+0x933/0x985 softirqs deshabilitados por \u00faltima vez en (614266): [\u0026lt;00000000606c52d6\u0026gt;] __ieee80211_wake_queue+0x643/0x985"
    }
  ],
  "id": "CVE-2025-38643",
  "lastModified": "2025-08-22T18:08:51.663",
  "metrics": {},
  "published": "2025-08-22T16:15:38.417",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.