[SRU][N][PATCH 0/1] CVE-2025-21729
Alice C. Munduruca
alice.munduruca at canonical.com
Tue Oct 7 20:55:51 UTC 2025
[ Impact ]
A Use After Free bug is possible in `rtw89`, as the check for whether the
device is scanning can race with scan completion, leading to the attribute
`hw_scan_req` being freed as the scan completes and before it is accessed
in the function `rtw89_ops_cancel_hw_scan`. As such, protect this code path
with a mutex so that a race cannot occur.
[ Fix ]
noble: backported from upstream patch --
added label `out` and applied, removing the dependence on upstream context.
[ Tests ]
Compile and boot tested.
[ Where problems could occur ]
Given that the change consists of protecting a check with an already existing
mutex, there is little risk of regressions.
Ping-Ke Shih (1):
wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion
drivers/net/wireless/realtek/rtw89/mac80211.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--
2.51.0
More information about the kernel-team
mailing list