lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAP=Rh=NP-KjKhzfh21GKCCvDwDPfh37z8+b13btXVS5owUS4WQ@mail.gmail.com>
Date: Wed, 21 May 2025 21:56:20 +0800
From: John <john.cs.hey@...il.com>
To: Johannes Berg <johannes@...solutions.net>
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [Bug] "INFO: trying to register non-static key in cfg80211_dev_free"
 in Linux Kernel v6.14

Dear Linux Kernel Maintainers,

I hope this message finds you well.

I am writing to report a potential vulnerability I encountered during
testing of the Linux Kernel version v6.14.

Git Commit: 38fec10eb60d687e30c8c6b5420d86e8149f7557 (tag: v6.14)

Bug Location: 0010:cfg80211_dev_free+0x2ba/0x3b0 net/wireless/core.c:1197

Bug report: https://pastebin.com/1XeQBvgW

Complete log: https://pastebin.com/tcvP4fP4

Entire kernel config: https://pastebin.com/MRWGr3nv

Root Cause Analysis:
A WARN_ON is triggered in cfg80211_dev_free() due to a spinlock being
used before initialization or after free. Lockdep reports a non-static
key warning, indicating that the spinlock inside rdev->devlist_mtx is
either uninitialized or UAF.
The issue escalates to a second warning from __flush_work() when
trying to cancel and synchronize a work item that may still be pending
or undefined. This is reproducible via mac80211_hwsim netlink
interface when rapidly creating and destroying virtual radios.
This bug exposes synchronization issues and unsafe memory usage in
cfg80211's device free path and requires proper spinlock
initialization and work item handling before release.

At present, I have not yet obtained a minimal reproducer for this
issue. However, I am actively working on reproducing it, and I will
promptly share any additional findings or a working reproducer as soon
as it becomes available.

Thank you very much for your time and attention to this matter. I
truly appreciate the efforts of the Linux kernel community.

Best regards,
John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ