cve/published/2025/CVE-2025-37897.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37897: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release

 plfxlc_mac_release() asserts that mac->lock is held. This assertion is
 incorrect, because even if it was possible, it would not be the valid
 behaviour. The function is used when probe fails or after the device is
 disconnected. In both cases mac->lock can not be held as the driver is
 not working with the device at the moment. All functions that use mac->lock
 unlock it just after it was held. There is also no need to hold mac->lock
 for plfxlc_mac_release() itself, as mac data is not affected, except for
 mac->flags, which is modified atomically.

 This bug leads to the following warning:
 ================================================================
 WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0
 Modules linked in:
 CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 Workqueue: usb_hub_wq hub_event
 RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106
 Call Trace:
  <TASK>
  probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694
  usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396
  really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
  __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
  driver_probe_device+0x50/0x420 drivers/base/dd.c:815
  __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
  bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
  __device_attach+0x359/0x570 drivers/base/dd.c:1015
  bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
  device_add+0xb48/0xfd0 drivers/base/core.c:3696
  usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165
  usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238
  usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293
  really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
  __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
  driver_probe_device+0x50/0x420 drivers/base/dd.c:815
  __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
  bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
  __device_attach+0x359/0x570 drivers/base/dd.c:1015
  bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
  device_add+0xb48/0xfd0 drivers/base/core.c:3696
  usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620
  hub_port_connect drivers/usb/core/hub.c:5477 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]
  port_event drivers/usb/core/hub.c:5773 [inline]
  hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855
  process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
  worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
  kthread+0x28d/0x320 kernel/kthread.c:376
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
  </TASK>
 ================================================================

 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

 The Linux kernel CVE team has assigned CVE-2025-37897 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.1.138 with commit 93d646911be1e5be20d4f5d6c48359464cef0097
 	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.6.90 with commit 36a9a2647810e57e704dde59abdf831380ca9102
 	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.12.28 with commit 791a2d9e87c411aec0b9b2fb735fd15e48af9de9
 	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.14.6 with commit 9ecb4af39f80cdda3e57825923243ec11e48be6b
 	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.15 with commit 0fb15ae3b0a9221be01715dac0335647c79f3362

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37897
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/purelifi/plfxlc/mac.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/93d646911be1e5be20d4f5d6c48359464cef0097
 	https://git.kernel.org/stable/c/36a9a2647810e57e704dde59abdf831380ca9102
 	https://git.kernel.org/stable/c/791a2d9e87c411aec0b9b2fb735fd15e48af9de9
 	https://git.kernel.org/stable/c/9ecb4af39f80cdda3e57825923243ec11e48be6b
 	https://git.kernel.org/stable/c/0fb15ae3b0a9221be01715dac0335647c79f3362
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37897: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release

	plfxlc_mac_release() asserts that mac->lock is held. This assertion is
	incorrect, because even if it was possible, it would not be the valid
	behaviour. The function is used when probe fails or after the device is
	disconnected. In both cases mac->lock can not be held as the driver is
	not working with the device at the moment. All functions that use mac->lock
	unlock it just after it was held. There is also no need to hold mac->lock
	for plfxlc_mac_release() itself, as mac data is not affected, except for
	mac->flags, which is modified atomically.

	This bug leads to the following warning:
	================================================================
	WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0
	Modules linked in:
	CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	Workqueue: usb_hub_wq hub_event
	RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106
	Call Trace:
	<TASK>
	probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694
	usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396
	really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
	__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
	driver_probe_device+0x50/0x420 drivers/base/dd.c:815
	__device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
	bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
	__device_attach+0x359/0x570 drivers/base/dd.c:1015
	bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
	device_add+0xb48/0xfd0 drivers/base/core.c:3696
	usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165
	usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238
	usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293
	really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
	__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
	driver_probe_device+0x50/0x420 drivers/base/dd.c:815
	__device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
	bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
	__device_attach+0x359/0x570 drivers/base/dd.c:1015
	bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
	device_add+0xb48/0xfd0 drivers/base/core.c:3696
	usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620
	hub_port_connect drivers/usb/core/hub.c:5477 [inline]
	hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]
	port_event drivers/usb/core/hub.c:5773 [inline]
	hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855
	process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
	worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
	kthread+0x28d/0x320 kernel/kthread.c:376
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
	</TASK>
	================================================================

	Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	The Linux kernel CVE team has assigned CVE-2025-37897 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.1.138 with commit 93d646911be1e5be20d4f5d6c48359464cef0097
	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.6.90 with commit 36a9a2647810e57e704dde59abdf831380ca9102
	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.12.28 with commit 791a2d9e87c411aec0b9b2fb735fd15e48af9de9
	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.14.6 with commit 9ecb4af39f80cdda3e57825923243ec11e48be6b
	Issue introduced in 5.19 with commit 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 and fixed in 6.15 with commit 0fb15ae3b0a9221be01715dac0335647c79f3362

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37897
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/purelifi/plfxlc/mac.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/93d646911be1e5be20d4f5d6c48359464cef0097
	https://git.kernel.org/stable/c/36a9a2647810e57e704dde59abdf831380ca9102
	https://git.kernel.org/stable/c/791a2d9e87c411aec0b9b2fb735fd15e48af9de9
	https://git.kernel.org/stable/c/9ecb4af39f80cdda3e57825923243ec11e48be6b
	https://git.kernel.org/stable/c/0fb15ae3b0a9221be01715dac0335647c79f3362