[PATCH 5.4.y] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

[PATCH 5.4.y] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

[Alexander Wetzel]

[ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ]

Callers of wdev_chandef() must hold the wiphy mutex.

But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
Which triggers the warning below with the mesh_peer_connected_dfs
test from hostapd and not (yet) released mac80211 code changes:

WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
Modules linked in:
CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
Stack:
 00000000 00000001 ffffff00 6093267c
 00000000 6002ec30 6d577c50 60037608
 00000000 67e8d108 6063717b 00000000
Call Trace:
 [<6002ec30>] ? _printk+0x0/0x98
 [<6003c2b3>] show_stack+0x10e/0x11a
 [<6002ec30>] ? _printk+0x0/0x98
 [<60037608>] dump_stack_lvl+0x71/0xb8
 [<6063717b>] ? wdev_chandef+0x60/0x165
 [<6003766d>] dump_stack+0x1e/0x20
 [<6005d1b7>] __warn+0x101/0x20f
 [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
 [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
 [<600b11a2>] ? mark_held_locks+0x5a/0x6e
 [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
 [<60052e53>] ? unblock_signals+0x3a/0xe7
 [<60052f2d>] ? um_set_signals+0x2d/0x43
 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
 [<607508b2>] ? lock_is_held_type+0x207/0x21f
 [<6063717b>] wdev_chandef+0x60/0x165
 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
 [<60052f00>] ? um_set_signals+0x0/0x43
 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
 [<6007e460>] process_scheduled_works+0x3bc/0x60e
 [<6007d0ec>] ? move_linked_works+0x4d/0x81
 [<6007d120>] ? assign_work+0x0/0xaa
 [<6007f81f>] worker_thread+0x220/0x2dc
 [<600786ef>] ? set_pf_worker+0x0/0x57
 [<60087c96>] ? to_kthread+0x0/0x43
 [<6008ab3c>] kthread+0x2d3/0x2e2
 [<6007f5ff>] ? worker_thread+0x0/0x2dc
 [<6006c05b>] ? calculate_sigpending+0x0/0x56
 [<6003b37d>] new_thread_handler+0x4a/0x64
irq event stamp: 614611
hardirqs last  enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
softirqs last  enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985

Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Conflicts:
	net/wireless/reg.c
Signed-off-by: lifangxu <lifangxu@kylinos.cn>
---
 net/wireless/reg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 213655aa6e48..950bf146227e 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -3906,6 +3906,9 @@ EXPORT_SYMBOL(regulatory_pre_cac_allowed);
 static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
 {
 	struct wireless_dev *wdev;
+
+	wdev_lock(wdev);
+
 	/* If we finished CAC or received radar, we should end any
 	 * CAC running on the same channels.
 	 * the check !cfg80211_chandef_dfs_usable contain 2 options:
@@ -3920,6 +3923,7 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
 		    !cfg80211_chandef_dfs_usable(&rdev->wiphy, &wdev->chandef))
 			rdev_end_cac(rdev, wdev->netdev);
 	}
+	wdev_unlock(wdev);
 }
 
 void regulatory_propagate_dfs_state(struct wiphy *wiphy,
-- 
2.43.0

Re: [PATCH 5.4.y] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

[Greg KH]

On Wed, Aug 27, 2025 at 10:45:02PM +0800, Alexander Wetzel wrote:
> [ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ]
> 
> Callers of wdev_chandef() must hold the wiphy mutex.
> 
> But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
> Which triggers the warning below with the mesh_peer_connected_dfs
> test from hostapd and not (yet) released mac80211 code changes:
> 
> WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
> Modules linked in:
> CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
> Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
> Stack:
>  00000000 00000001 ffffff00 6093267c
>  00000000 6002ec30 6d577c50 60037608
>  00000000 67e8d108 6063717b 00000000
> Call Trace:
>  [<6002ec30>] ? _printk+0x0/0x98
>  [<6003c2b3>] show_stack+0x10e/0x11a
>  [<6002ec30>] ? _printk+0x0/0x98
>  [<60037608>] dump_stack_lvl+0x71/0xb8
>  [<6063717b>] ? wdev_chandef+0x60/0x165
>  [<6003766d>] dump_stack+0x1e/0x20
>  [<6005d1b7>] __warn+0x101/0x20f
>  [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
>  [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
>  [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
>  [<600b11a2>] ? mark_held_locks+0x5a/0x6e
>  [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
>  [<60052e53>] ? unblock_signals+0x3a/0xe7
>  [<60052f2d>] ? um_set_signals+0x2d/0x43
>  [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
>  [<607508b2>] ? lock_is_held_type+0x207/0x21f
>  [<6063717b>] wdev_chandef+0x60/0x165
>  [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
>  [<60052f00>] ? um_set_signals+0x0/0x43
>  [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
>  [<6007e460>] process_scheduled_works+0x3bc/0x60e
>  [<6007d0ec>] ? move_linked_works+0x4d/0x81
>  [<6007d120>] ? assign_work+0x0/0xaa
>  [<6007f81f>] worker_thread+0x220/0x2dc
>  [<600786ef>] ? set_pf_worker+0x0/0x57
>  [<60087c96>] ? to_kthread+0x0/0x43
>  [<6008ab3c>] kthread+0x2d3/0x2e2
>  [<6007f5ff>] ? worker_thread+0x0/0x2dc
>  [<6006c05b>] ? calculate_sigpending+0x0/0x56
>  [<6003b37d>] new_thread_handler+0x4a/0x64
> irq event stamp: 614611
> hardirqs last  enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
> hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
> softirqs last  enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
> softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
> 
> Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
> Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
> Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> 
> Conflicts:
> 	net/wireless/reg.c

This isn't needed.

> Signed-off-by: lifangxu <lifangxu@kylinos.cn>

This has to match the From: line like any other patch you send :(

Can you please fix up and resend?

thanks,

greg k-h

Withdraw [PATCH 5.4.y] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac

[lifangxu]

Thank you for your feedback,

After reevaluate, I found that this CVE-2025-38643 fixed warning occurs in
wdev_chandef(net/wireless/chan.c:1552), which is not added in
cfg80211_check_and_end_cac before kernel 6.12-rc1. 

So, 5.4.y appears unaffected, despite introducing commit (26ec17a1dc5e).
I'm withdrawing this backport.

Thanks,

lifangxu