CVE-2026-31548
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.
Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.
Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
Vulnerability Details
Published Date
Last Modified
Source
NVD
Vendor
Linux
Product
Linux
External References
- https://git.kernel.org/stable/c/28d3551f8d8cb3aec7497894d94150fe84d20e5e
- https://git.kernel.org/stable/c/37e776e2e0a523731e2470dce6d563f0e8632a40
- https://git.kernel.org/stable/c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09
- https://git.kernel.org/stable/c/72b7ea786b8e570ae11149e9089859a4a8634a13
- https://git.kernel.org/stable/c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf
- https://git.kernel.org/stable/c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa
Discussion (0)
Add Comment
No comments yet. Be the first!