ghsa-cg84-5crp-xcxj
Vulnerability from github
Published
2025-02-27 03:34
Modified
2025-02-27 03:34
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed

If WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered without removing the interface first. Then the mgnt_entry list init again, causing the list_empty() check in rtw89_chanctx_ops_assign_vif() useless, and list_add_tail() again. Therefore, we have added a check to prevent double adding of the list.

rtw89_8852ce 0000:01:00.0: failed to check wow status disabled rtw89_8852ce 0000:01:00.0: wow: failed to check disable fw ready rtw89_8852ce 0000:01:00.0: wow: failed to swap to normal fw rtw89_8852ce 0000:01:00.0: failed to disable wow rtw89_8852ce 0000:01:00.0: failed to resume for wow -110 rtw89_8852ce 0000:01:00.0: MAC has already powered on i2c_hid_acpi i2c-ILTK0001:00: PM: acpi_subsys_resume+0x0/0x60 returned 0 after 284705 usecs list_add corruption. prev->next should be next (ffff9d9719d82228), but was ffff9d9719f96030. (prev=ffff9d9719f96030). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:34! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 6918 Comm: kworker/u8:19 Tainted: G U O Hardware name: Google Anraggar/Anraggar, BIOS Google_Anraggar.15217.514.0 03/25/2024 Workqueue: events_unbound async_run_entry_fn RIP: 0010:__list_add_valid_or_report+0x9f/0xb0 Code: e8 56 89 ff ff 0f 0b 48 c7 c7 3e fc e0 96 48 89 c6 e8 45 89 ff ... RSP: 0018:ffffa51b42bbbaf0 EFLAGS: 00010246 RAX: 0000000000000075 RBX: ffff9d9719d82ab0 RCX: 13acb86e047a4400 RDX: 3fffffffffffffff RSI: 0000000000000000 RDI: 00000000ffffdfff RBP: ffffa51b42bbbb28 R08: ffffffff9768e250 R09: 0000000000001fff R10: ffffffff9765e250 R11: 0000000000005ffd R12: ffff9d9719f95c40 R13: ffff9d9719f95be8 R14: ffff9d97081bfd78 R15: ffff9d9719d82060 FS: 0000000000000000(0000) GS:ffff9d9a6fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007e7d029a4060 CR3: 0000000345e38000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: ? __die_body+0x68/0xb0 ? die+0xaa/0xd0 ? do_trap+0x9f/0x170 ? __list_add_valid_or_report+0x9f/0xb0 ? __list_add_valid_or_report+0x9f/0xb0 ? handle_invalid_op+0x69/0x90 ? __list_add_valid_or_report+0x9f/0xb0 ? exc_invalid_op+0x3c/0x50 ? asm_exc_invalid_op+0x16/0x20 ? __list_add_valid_or_report+0x9f/0xb0 rtw89_chanctx_ops_assign_vif+0x1f9/0x210 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1] ? __mutex_unlock_slowpath+0xa0/0xf0 rtw89_ops_assign_vif_chanctx+0x4b/0x90 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1] drv_assign_vif_chanctx+0xa7/0x1f0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6] ieee80211_reconfig+0x9cb/0x17b0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6] ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed] ? dev_printk_emit+0x51/0x70 ? _dev_info+0x6e/0x90 wiphy_resume+0x89/0x180 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed] ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed] dpm_run_callback+0x37/0x1e0 device_resume+0x26d/0x4b0 ? __pfx_dpm_watchdog_handler+0x10/0x10 async_resume+0x1d/0x30 async_run_entry_fn+0x29/0xd0 worker_thread+0x397/0x970 kthread+0xed/0x110 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x38/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21730"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:16Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed\n\nIf WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered\nwithout removing the interface first. Then the mgnt_entry list init again,\ncausing the list_empty() check in rtw89_chanctx_ops_assign_vif()\nuseless, and list_add_tail() again. Therefore, we have added a check to\nprevent double adding of the list.\n\nrtw89_8852ce 0000:01:00.0: failed to check wow status disabled\nrtw89_8852ce 0000:01:00.0: wow: failed to check disable fw ready\nrtw89_8852ce 0000:01:00.0: wow: failed to swap to normal fw\nrtw89_8852ce 0000:01:00.0: failed to disable wow\nrtw89_8852ce 0000:01:00.0: failed to resume for wow -110\nrtw89_8852ce 0000:01:00.0: MAC has already powered on\ni2c_hid_acpi i2c-ILTK0001:00: PM: acpi_subsys_resume+0x0/0x60 returned 0 after 284705 usecs\nlist_add corruption. prev-\u003enext should be next (ffff9d9719d82228), but was ffff9d9719f96030. (prev=ffff9d9719f96030).\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:34!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 6918 Comm: kworker/u8:19 Tainted: G     U     O\nHardware name: Google Anraggar/Anraggar, BIOS Google_Anraggar.15217.514.0 03/25/2024\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:__list_add_valid_or_report+0x9f/0xb0\nCode: e8 56 89 ff ff 0f 0b 48 c7 c7 3e fc e0 96 48 89 c6 e8 45 89 ff ...\nRSP: 0018:ffffa51b42bbbaf0 EFLAGS: 00010246\nRAX: 0000000000000075 RBX: ffff9d9719d82ab0 RCX: 13acb86e047a4400\nRDX: 3fffffffffffffff RSI: 0000000000000000 RDI: 00000000ffffdfff\nRBP: ffffa51b42bbbb28 R08: ffffffff9768e250 R09: 0000000000001fff\nR10: ffffffff9765e250 R11: 0000000000005ffd R12: ffff9d9719f95c40\nR13: ffff9d9719f95be8 R14: ffff9d97081bfd78 R15: ffff9d9719d82060\nFS:  0000000000000000(0000) GS:ffff9d9a6fb00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007e7d029a4060 CR3: 0000000345e38000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die_body+0x68/0xb0\n ? die+0xaa/0xd0\n ? do_trap+0x9f/0x170\n ? __list_add_valid_or_report+0x9f/0xb0\n ? __list_add_valid_or_report+0x9f/0xb0\n ? handle_invalid_op+0x69/0x90\n ? __list_add_valid_or_report+0x9f/0xb0\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_add_valid_or_report+0x9f/0xb0\n rtw89_chanctx_ops_assign_vif+0x1f9/0x210 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]\n ? __mutex_unlock_slowpath+0xa0/0xf0\n rtw89_ops_assign_vif_chanctx+0x4b/0x90 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]\n drv_assign_vif_chanctx+0xa7/0x1f0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]\n ieee80211_reconfig+0x9cb/0x17b0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n wiphy_resume+0x89/0x180 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n dpm_run_callback+0x37/0x1e0\n device_resume+0x26d/0x4b0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n worker_thread+0x397/0x970\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e",
  "id": "GHSA-cg84-5crp-xcxj",
  "modified": "2025-02-27T03:34:02Z",
  "published": "2025-02-27T03:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21730"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f7667675df1b40b73ecc53b4b8c3189b1e5f2c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ed5bf49819757303e657f3900725febf2f3926f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fc295fdd3992a9a07d12fd3f2e84dface23aedc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.