CWE-667
Allowed-with-ReviewImproper Locking
Abstraction: Class · Status: Draft
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
693 vulnerabilities reference this CWE, most recent first.
GHSA-6H6F-84WV-5RQQ
Vulnerability from github – Published: 2024-11-08 06:30 – Updated: 2024-11-19 18:30In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix reader locking when changing the sub buffer order
The function ring_buffer_subbuf_order_set() updates each ring_buffer_per_cpu and installs new sub buffers that match the requested page order. This operation may be invoked concurrently with readers that rely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or the ring_buffer_per_cpu.pages and reader_page pointers. However, no exclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying the mentioned data while a reader also operates on them can then result in incorrect memory access and various crashes.
Fix the problem by taking the reader_lock when updating a specific ring_buffer_per_cpu in ring_buffer_subbuf_order_set().
{
"affected": [],
"aliases": [
"CVE-2024-50207"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T06:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix reader locking when changing the sub buffer order\n\nThe function ring_buffer_subbuf_order_set() updates each\nring_buffer_per_cpu and installs new sub buffers that match the requested\npage order. This operation may be invoked concurrently with readers that\nrely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or\nthe ring_buffer_per_cpu.pages and reader_page pointers. However, no\nexclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying\nthe mentioned data while a reader also operates on them can then result in\nincorrect memory access and various crashes.\n\nFix the problem by taking the reader_lock when updating a specific\nring_buffer_per_cpu in ring_buffer_subbuf_order_set().",
"id": "GHSA-6h6f-84wv-5rqq",
"modified": "2024-11-19T18:30:54Z",
"published": "2024-11-08T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50207"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09661f75e75cb6c1d2d8326a70c311d46729235f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a569290525a05162d5dd26d9845591eaf46e5802"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HCQ-HMM3-JJ3C
Vulnerability from github – Published: 2026-03-20 00:31 – Updated: 2026-03-20 20:41Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webmvc"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-M1"
},
{
"fixed": "7.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webmvc"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webmvc"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.1.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webmvc"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"last_affected": "5.3.39"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-M1"
},
{
"fixed": "7.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.1.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"last_affected": "5.3.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22735"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:41:16Z",
"nvd_published_at": "2026-03-20T00:16:15Z",
"severity": "LOW"
},
"details": "Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).\u00a0This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.",
"id": "GHSA-6hcq-hmm3-jj3c",
"modified": "2026-03-20T20:41:16Z",
"published": "2026-03-20T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22735"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-22735"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring MVC and WebFlux has Server Sent Event stream corruption"
}
GHSA-6HQ8-G74X-24Q3
Vulnerability from github – Published: 2025-10-24 18:30 – Updated: 2025-10-24 18:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix hang during unmount when block group reclaim task is running
When we start an unmount, at close_ctree(), if we have the reclaim task running and in the middle of a data block group relocation, we can trigger a deadlock when stopping an async reclaim task, producing a trace like the following:
[629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000 [629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs] [629724.501267] Call Trace: [629724.501759] [629724.502174] __schedule+0x3cb/0xed0 [629724.502842] schedule+0x4e/0xb0 [629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs] [629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0 [629724.505442] flush_space+0x423/0x630 [btrfs] [629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50 [629724.507259] ? lock_release+0x220/0x4a0 [629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs] [629724.508940] ? do_raw_spin_unlock+0x4b/0xa0 [629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs] [629724.510922] process_one_work+0x252/0x5a0 [629724.511694] ? process_one_work+0x5a0/0x5a0 [629724.512508] worker_thread+0x52/0x3b0 [629724.513220] ? process_one_work+0x5a0/0x5a0 [629724.514021] kthread+0xf2/0x120 [629724.514627] ? kthread_complete_and_exit+0x20/0x20 [629724.515526] ret_from_fork+0x22/0x30 [629724.516236] [629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000 [629724.518269] Call Trace: [629724.518746] [629724.519160] __schedule+0x3cb/0xed0 [629724.519835] schedule+0x4e/0xb0 [629724.520467] schedule_timeout+0xed/0x130 [629724.521221] ? lock_release+0x220/0x4a0 [629724.521946] ? lock_acquired+0x19c/0x420 [629724.522662] ? trace_hardirqs_on+0x1b/0xe0 [629724.523411] __wait_for_common+0xaf/0x1f0 [629724.524189] ? usleep_range_state+0xb0/0xb0 [629724.524997] __flush_work+0x26d/0x530 [629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140 [629724.526580] ? lock_acquire+0x1a0/0x310 [629724.527324] __cancel_work_timer+0x137/0x1c0 [629724.528190] close_ctree+0xfd/0x531 [btrfs] [629724.529000] ? evict_inodes+0x166/0x1c0 [629724.529510] generic_shutdown_super+0x74/0x120 [629724.530103] kill_anon_super+0x14/0x30 [629724.530611] btrfs_kill_super+0x12/0x20 [btrfs] [629724.531246] deactivate_locked_super+0x31/0xa0 [629724.531817] cleanup_mnt+0x147/0x1c0 [629724.532319] task_work_run+0x5c/0xa0 [629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0 [629724.533598] syscall_exit_to_user_mode+0x16/0x40 [629724.534200] do_syscall_64+0x48/0x90 [629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae [629724.535318] RIP: 0033:0x7fa2b90437a7 [629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7 [629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0 [629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200 [629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000 [629724.541796]
This happens because:
1) Before entering close_ctree() we have the async block group reclaim task running and relocating a data block group;
2) There's an async metadata (or data) space reclaim task running;
3) We enter close_ctree() and park the cleaner kthread;
4) The async space reclaim task is at flush_space() and runs all the existing delayed iputs;
5) Before the async space reclaim task calls btrfs_wait_on_delayed_iputs(), the block group reclaim task which is doing the data block group relocation, creates a delayed iput at replace_file_extents() (called when COWing leaves that have file extent items pointing to relocated data exten ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-49702"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when block group reclaim task is running\n\nWhen we start an unmount, at close_ctree(), if we have the reclaim task\nrunning and in the middle of a data block group relocation, we can trigger\na deadlock when stopping an async reclaim task, producing a trace like the\nfollowing:\n\n[629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000\n[629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs]\n[629724.501267] Call Trace:\n[629724.501759] \u003cTASK\u003e\n[629724.502174] __schedule+0x3cb/0xed0\n[629724.502842] schedule+0x4e/0xb0\n[629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs]\n[629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0\n[629724.505442] flush_space+0x423/0x630 [btrfs]\n[629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50\n[629724.507259] ? lock_release+0x220/0x4a0\n[629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs]\n[629724.508940] ? do_raw_spin_unlock+0x4b/0xa0\n[629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs]\n[629724.510922] process_one_work+0x252/0x5a0\n[629724.511694] ? process_one_work+0x5a0/0x5a0\n[629724.512508] worker_thread+0x52/0x3b0\n[629724.513220] ? process_one_work+0x5a0/0x5a0\n[629724.514021] kthread+0xf2/0x120\n[629724.514627] ? kthread_complete_and_exit+0x20/0x20\n[629724.515526] ret_from_fork+0x22/0x30\n[629724.516236] \u003c/TASK\u003e\n[629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000\n[629724.518269] Call Trace:\n[629724.518746] \u003cTASK\u003e\n[629724.519160] __schedule+0x3cb/0xed0\n[629724.519835] schedule+0x4e/0xb0\n[629724.520467] schedule_timeout+0xed/0x130\n[629724.521221] ? lock_release+0x220/0x4a0\n[629724.521946] ? lock_acquired+0x19c/0x420\n[629724.522662] ? trace_hardirqs_on+0x1b/0xe0\n[629724.523411] __wait_for_common+0xaf/0x1f0\n[629724.524189] ? usleep_range_state+0xb0/0xb0\n[629724.524997] __flush_work+0x26d/0x530\n[629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140\n[629724.526580] ? lock_acquire+0x1a0/0x310\n[629724.527324] __cancel_work_timer+0x137/0x1c0\n[629724.528190] close_ctree+0xfd/0x531 [btrfs]\n[629724.529000] ? evict_inodes+0x166/0x1c0\n[629724.529510] generic_shutdown_super+0x74/0x120\n[629724.530103] kill_anon_super+0x14/0x30\n[629724.530611] btrfs_kill_super+0x12/0x20 [btrfs]\n[629724.531246] deactivate_locked_super+0x31/0xa0\n[629724.531817] cleanup_mnt+0x147/0x1c0\n[629724.532319] task_work_run+0x5c/0xa0\n[629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0\n[629724.533598] syscall_exit_to_user_mode+0x16/0x40\n[629724.534200] do_syscall_64+0x48/0x90\n[629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[629724.535318] RIP: 0033:0x7fa2b90437a7\n[629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7\n[629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0\n[629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200\n[629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000\n[629724.541796] \u003c/TASK\u003e\n\nThis happens because:\n\n1) Before entering close_ctree() we have the async block group reclaim\n task running and relocating a data block group;\n\n2) There\u0027s an async metadata (or data) space reclaim task running;\n\n3) We enter close_ctree() and park the cleaner kthread;\n\n4) The async space reclaim task is at flush_space() and runs all the\n existing delayed iputs;\n\n5) Before the async space reclaim task calls\n btrfs_wait_on_delayed_iputs(), the block group reclaim task which is\n doing the data block group relocation, creates a delayed iput at\n replace_file_extents() (called when COWing leaves that have file extent\n items pointing to relocated data exten\n---truncated---",
"id": "GHSA-6hq8-g74x-24q3",
"modified": "2025-10-24T18:30:57Z",
"published": "2025-10-24T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49702"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31e70e527806c546a72262f2fc3d982ee23c42d3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/341d33128a940c6634175dcb6ca92dc454cfa7d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9fadb11f1295289e0da4d3342ecb6b92c1c99540"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HQC-57W7-HX9Q
Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
i2c: npcm: disable interrupt enable bit before devm_request_irq
The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset.
Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer.
Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only.
Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds..
{
"affected": [],
"aliases": [
"CVE-2025-21878"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T15:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[ 28.183351] Modules linked in:\n[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 28.208128] pc : __do_softirq+0xb0/0x368\n[ 28.212055] lr : __do_softirq+0x70/0x368\n[ 28.215972] sp : ffffff8035ebca00\n[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[ 28.290611] Call trace:\n[ 28.293052] __do_softirq+0xb0/0x368\n[ 28.296625] __irq_exit_rcu+0xe0/0x100\n[ 28.300374] irq_exit+0x14/0x20\n[ 28.303513] handle_domain_irq+0x68/0x90\n[ 28.307440] gic_handle_irq+0x78/0xb0\n[ 28.311098] call_on_irq_stack+0x20/0x38\n[ 28.315019] do_interrupt_handler+0x54/0x5c\n[ 28.319199] el1_interrupt+0x2c/0x4c\n[ 28.322777] el1h_64_irq_handler+0x14/0x20\n[ 28.326872] el1h_64_irq+0x74/0x78\n[ 28.330269] __setup_irq+0x454/0x780\n[ 28.333841] request_threaded_irq+0xd0/0x1b4\n[ 28.338107] devm_request_threaded_irq+0x84/0x100\n[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0\n[ 28.346990] platform_probe+0x6c/0xc4\n[ 28.350653] really_probe+0xcc/0x45c\n[ 28.354227] __driver_probe_device+0x8c/0x160\n[ 28.358578] driver_probe_device+0x44/0xe0\n[ 28.362670] __driver_attach+0x124/0x1d0\n[ 28.366589] bus_for_each_dev+0x7c/0xe0\n[ 28.370426] driver_attach+0x28/0x30\n[ 28.373997] bus_add_driver+0x124/0x240\n[ 28.377830] driver_register+0x7c/0x124\n[ 28.381662] __platform_driver_register+0x2c/0x34\n[ 28.386362] npcm_i2c_init+0x3c/0x5c\n[ 28.389937] do_one_initcall+0x74/0x230\n[ 28.393768] kernel_init_freeable+0x24c/0x2b4\n[ 28.398126] kernel_init+0x28/0x130\n[ 28.401614] ret_from_fork+0x10/0x20\n[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[ 28.411011] SMP: stopping secondary CPUs\n[ 28.414933] Kernel Offset: disabled\n[ 28.418412] CPU features: 0x00000000,00000802\n[ 28.427644] Rebooting in 20 seconds..",
"id": "GHSA-6hqc-57w7-hx9q",
"modified": "2025-11-03T21:33:13Z",
"published": "2025-03-27T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21878"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HVC-J4M8-JP74
Vulnerability from github – Published: 2022-11-29 00:30 – Updated: 2025-04-14 18:31A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-4129"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-28T22:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel\u0027s Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.",
"id": "GHSA-6hvc-j4m8-jp74",
"modified": "2025-04-14T18:31:41Z",
"published": "2022-11-29T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X5SPXMXXFANDASPCKER2JIQO2F3UHCP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AM5KFIE6JNZXHBA5A2KYDZAT3MEX2B67"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JOKXNIM2R4FQCDRQV67UMAY6EBC72QFG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7X5SPXMXXFANDASPCKER2JIQO2F3UHCP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AM5KFIE6JNZXHBA5A2KYDZAT3MEX2B67"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JOKXNIM2R4FQCDRQV67UMAY6EBC72QFG"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221114191619.124659-1-jakub%40cloudflare.com/t"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221114191619.124659-1-jakub@cloudflare.com/t"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/netdev/20221121085426.21315-1-jakub%40cloudflare.com/t"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/netdev/20221121085426.21315-1-jakub@cloudflare.com/t"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6J4R-JVG8-V6GC
Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2024-09-18 18:30In the Linux kernel, the following vulnerability has been resolved:
net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work
syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:
kworker/0:16/14617 is trying to acquire lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 [...] but task is already holding lock: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572
The neighbor entry turned to NUD_FAILED state, where __neigh_event_send() triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce arp latency") via neigh_probe() given table lock was held.
One option to fix this situation is to defer the neigh_probe() back to the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case of NTF_MANAGED, this deferral is acceptable given this only happens on actual failure state and regular / expected state is NUD_VALID with the entry already present.
The fix adds a parameter to __neigh_event_send() in order to communicate whether immediate probe is allowed or disallowed. Existing call-sites of neigh_event_send() default as-is to immediate probe. However, the neigh_managed_work() disables it via use of neigh_event_send_probe().
[0] __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2956 [inline] check_deadlock kernel/locking/lockdep.c:2999 [inline] validate_chain kernel/locking/lockdep.c:3788 [inline] __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 neighcreate+0x9e1/0x2990 net/core/neighbour.c:652 ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 ip6_finish_output net/ipv6/ip6_output.c:191 [inline] __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:451 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742 neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 neigh_event_send include/net/neighbour.h:470 [inline] neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 worker_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
{
"affected": [],
"aliases": [
"CVE-2022-48719"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-20T11:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work\n\nsyzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:\n\n kworker/0:16/14617 is trying to acquire lock:\n ffffffff8d4dd370 (\u0026tbl-\u003elock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n [...]\n but task is already holding lock:\n ffffffff8d4dd370 (\u0026tbl-\u003elock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572\n\nThe neighbor entry turned to NUD_FAILED state, where __neigh_event_send()\ntriggered an immediate probe as per commit cd28ca0a3dd1 (\"neigh: reduce\narp latency\") via neigh_probe() given table lock was held.\n\nOne option to fix this situation is to defer the neigh_probe() back to\nthe neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case\nof NTF_MANAGED, this deferral is acceptable given this only happens on\nactual failure state and regular / expected state is NUD_VALID with the\nentry already present.\n\nThe fix adds a parameter to __neigh_event_send() in order to communicate\nwhether immediate probe is allowed or disallowed. Existing call-sites\nof neigh_event_send() default as-is to immediate probe. However, the\nneigh_managed_work() disables it via use of neigh_event_send_probe().\n\n[0] \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]\n check_deadlock kernel/locking/lockdep.c:2999 [inline]\n validate_chain kernel/locking/lockdep.c:3788 [inline]\n __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027\n lock_acquire kernel/locking/lockdep.c:5639 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604\n __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]\n _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334\n ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123\n __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]\n __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170\n ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201\n NF_HOOK_COND include/linux/netfilter.h:296 [inline]\n ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224\n dst_output include/net/dst.h:451 [inline]\n NF_HOOK include/linux/netfilter.h:307 [inline]\n ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508\n ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650\n ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742\n neigh_probe+0xc2/0x110 net/core/neighbour.c:1040\n __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201\n neigh_event_send include/net/neighbour.h:470 [inline]\n neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574\n process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307\n worker_thread+0x657/0x1110 kernel/workqueue.c:2454\n kthread+0x2e9/0x3a0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \u003c/TASK\u003e",
"id": "GHSA-6j4r-jvg8-v6gc",
"modified": "2024-09-18T18:30:49Z",
"published": "2024-06-20T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48719"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/203a35ebb49cdce377416b0690215d3ce090d364"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JQP-MM8H-JJGV
Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2025-01-07 18:30In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix possible deadlock in subflow diag
Syzbot and Eric reported a lockdep splat in the subflow diag:
WARNING: possible circular locking dependency detected 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted
syz-executor.2/24141 is trying to acquire lock: ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137
but task is already holding lock: ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&h->lhash2[i].lock){+.+.}-{2:2}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743 inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261 __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217 inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239 rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316 rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577 ops_init+0x352/0x610 net/core/net_namespace.c:136 __register_pernet_operations net/core/net_namespace.c:1214 [inline] register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283 register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370 rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735 do_one_initcall+0x238/0x830 init/main.c:1236 do_initcall_level+0x157/0x210 init/main.c:1298 do_initcalls+0x3f/0x80 init/main.c:1314 kernel_init_freeable+0x42f/0x5d0 init/main.c:1551 kernel_init+0x1d/0x2a0 init/main.c:1441 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
-> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 lock_sock_fast include/net/sock.h:1723 [inline] subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28 tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137 inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345 inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061 __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263 inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371 netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264 __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:338 [inline] inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405 sock_diag_rcv_msg+0xe7/0x410 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 _syssendmsg+0x525/0x7d0 net/socket.c:2584 _sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77
As noted by Eric we can break the lock dependency chain avoid dumping ---truncated---
{
"affected": [],
"aliases": [
"CVE-2024-26781"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T09:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (\u0026h-\u003elhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -\u003e #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---",
"id": "GHSA-6jqp-mm8h-jjgv",
"modified": "2025-01-07T18:30:40Z",
"published": "2024-04-04T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26781"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6M8X-CVMH-FPWM
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-15 18:31In the Linux kernel, the following vulnerability has been resolved:
NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback
Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd.
Otherwise NFS can deadlock waiting for kcompactd enduced writeback which recurses back to NFS (which triggers writeback to NFSD via NFS loopback mount on the same host, NFSD blocks waiting for XFS's call to __filemap_get_folio):
6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds.
{--- [58] "kcompactd0" [<0>] folio_wait_bit+0xe8/0x200 [<0>] folio_wait_writeback+0x2b/0x80 [<0>] nfs_wb_folio+0x80/0x1b0 [nfs] [<0>] nfs_release_folio+0x68/0x130 [nfs] [<0>] split_huge_page_to_list_to_order+0x362/0x840 [<0>] migrate_pages_batch+0x43d/0xb90 [<0>] migrate_pages_sync+0x9a/0x240 [<0>] migrate_pages+0x93c/0x9f0 [<0>] compact_zone+0x8e2/0x1030 [<0>] compact_node+0xdb/0x120 [<0>] kcompactd+0x121/0x2e0 [<0>] kthread+0xcf/0x100 [<0>] ret_from_fork+0x31/0x40 [<0>] ret_from_fork_asm+0x1a/0x30 ---}
[akpm@linux-foundation.org: fix build]
{
"affected": [],
"aliases": [
"CVE-2025-21908"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:21Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fix nfs_release_folio() to not deadlock via kcompactd writeback\n\nAdd PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so\nnfs_release_folio() can skip calling nfs_wb_folio() from kcompactd.\n\nOtherwise NFS can deadlock waiting for kcompactd enduced writeback which\nrecurses back to NFS (which triggers writeback to NFSD via NFS loopback\nmount on the same host, NFSD blocks waiting for XFS\u0027s call to\n__filemap_get_folio):\n\n6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds.\n\n{---\n[58] \"kcompactd0\"\n[\u003c0\u003e] folio_wait_bit+0xe8/0x200\n[\u003c0\u003e] folio_wait_writeback+0x2b/0x80\n[\u003c0\u003e] nfs_wb_folio+0x80/0x1b0 [nfs]\n[\u003c0\u003e] nfs_release_folio+0x68/0x130 [nfs]\n[\u003c0\u003e] split_huge_page_to_list_to_order+0x362/0x840\n[\u003c0\u003e] migrate_pages_batch+0x43d/0xb90\n[\u003c0\u003e] migrate_pages_sync+0x9a/0x240\n[\u003c0\u003e] migrate_pages+0x93c/0x9f0\n[\u003c0\u003e] compact_zone+0x8e2/0x1030\n[\u003c0\u003e] compact_node+0xdb/0x120\n[\u003c0\u003e] kcompactd+0x121/0x2e0\n[\u003c0\u003e] kthread+0xcf/0x100\n[\u003c0\u003e] ret_from_fork+0x31/0x40\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\n---}\n\n[akpm@linux-foundation.org: fix build]",
"id": "GHSA-6m8x-cvmh-fpwm",
"modified": "2025-04-15T18:31:42Z",
"published": "2025-04-01T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21908"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ae31c54cff745832b9bd5b32e71f3d1b607cd1e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8253ff29edcb429a9a6c75710941c6a16a9a34b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab0727d6e2196682351c25c1dd112136f6991f11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce6d9c1c2b5cc785016faa11b48b6cd317eb367e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MFJ-59WV-V5JX
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-01-16 15:32In the Linux kernel, the following vulnerability has been resolved:
block: Prevent potential deadlocks in zone write plug error recovery
Zone write plugging for handling writes to zones of a zoned block device always execute a zone report whenever a write BIO to a zone fails. The intent of this is to ensure that the tracking of a zone write pointer is always correct to ensure that the alignment to a zone write pointer of write BIOs can be checked on submission and that we can always correctly emulate zone append operations using regular write BIOs.
However, this error recovery scheme introduces a potential deadlock if a device queue freeze is initiated while BIOs are still plugged in a zone write plug and one of these write operation fails. In such case, the disk zone write plug error recovery work is scheduled and executes a report zone. This in turn can result in a request allocation in the underlying driver to issue the report zones command to the device. But with the device queue freeze already started, this allocation will block, preventing the report zone execution and the continuation of the processing of the plugged BIOs. As plugged BIOs hold a queue usage reference, the queue freeze itself will never complete, resulting in a deadlock.
Avoid this problem by completely removing from the zone write plugging code the use of report zones operations after a failed write operation, instead relying on the device user to either execute a report zones, reset the zone, finish the zone, or give up writing to the device (which is a fairly common pattern for file systems which degrade to read-only after write failures). This is not an unreasonnable requirement as all well-behaved applications, FSes and device mapper already use report zones to recover from write errors whenever possible by comparing the current position of a zone write pointer with what their assumption about the position is.
The changes to remove the automatic error recovery are as follows: - Completely remove the error recovery work and its associated resources (zone write plug list head, disk error list, and disk zone_wplugs_work work struct). This also removes the functions disk_zone_wplug_set_error() and disk_zone_wplug_clear_error().
-
Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write plug whenever a write opration targetting the zone of the zone write plug fails. This flag indicates that the zone write pointer offset is not reliable and that it must be updated when the next report zone, reset zone, finish zone or disk revalidation is executed.
-
Modify blk_zone_write_plug_bio_endio() to set the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed write BIO.
-
Modify the function disk_zone_wplug_set_wp_offset() to clear this new flag, thus implementing recovery of a correct write pointer offset with the reset (all) zone and finish zone operations.
-
Modify blkdev_report_zones() to always use the disk_report_zones_cb() callback so that disk_zone_wplug_sync_wp_offset() can be called for any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag. This implements recovery of a correct write pointer offset for zone write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within the range of the report zones operation executed by the user.
-
Modify blk_revalidate_seq_zone() to call disk_zone_wplug_sync_wp_offset() for all sequential write required zones when a zoned block device is revalidated, thus always resolving any inconsistency between the write pointer offset of zone write plugs and the actual write pointer position of sequential zones.
{
"affected": [],
"aliases": [
"CVE-2024-55642"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T13:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Prevent potential deadlocks in zone write plug error recovery\n\nZone write plugging for handling writes to zones of a zoned block\ndevice always execute a zone report whenever a write BIO to a zone\nfails. The intent of this is to ensure that the tracking of a zone write\npointer is always correct to ensure that the alignment to a zone write\npointer of write BIOs can be checked on submission and that we can\nalways correctly emulate zone append operations using regular write\nBIOs.\n\nHowever, this error recovery scheme introduces a potential deadlock if a\ndevice queue freeze is initiated while BIOs are still plugged in a zone\nwrite plug and one of these write operation fails. In such case, the\ndisk zone write plug error recovery work is scheduled and executes a\nreport zone. This in turn can result in a request allocation in the\nunderlying driver to issue the report zones command to the device. But\nwith the device queue freeze already started, this allocation will\nblock, preventing the report zone execution and the continuation of the\nprocessing of the plugged BIOs. As plugged BIOs hold a queue usage\nreference, the queue freeze itself will never complete, resulting in a\ndeadlock.\n\nAvoid this problem by completely removing from the zone write plugging\ncode the use of report zones operations after a failed write operation,\ninstead relying on the device user to either execute a report zones,\nreset the zone, finish the zone, or give up writing to the device (which\nis a fairly common pattern for file systems which degrade to read-only\nafter write failures). This is not an unreasonnable requirement as all\nwell-behaved applications, FSes and device mapper already use report\nzones to recover from write errors whenever possible by comparing the\ncurrent position of a zone write pointer with what their assumption\nabout the position is.\n\nThe changes to remove the automatic error recovery are as follows:\n - Completely remove the error recovery work and its associated\n resources (zone write plug list head, disk error list, and disk\n zone_wplugs_work work struct). This also removes the functions\n disk_zone_wplug_set_error() and disk_zone_wplug_clear_error().\n\n - Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into\n BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write\n plug whenever a write opration targetting the zone of the zone write\n plug fails. This flag indicates that the zone write pointer offset is\n not reliable and that it must be updated when the next report zone,\n reset zone, finish zone or disk revalidation is executed.\n\n - Modify blk_zone_write_plug_bio_endio() to set the\n BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed\n write BIO.\n\n - Modify the function disk_zone_wplug_set_wp_offset() to clear this\n new flag, thus implementing recovery of a correct write pointer\n offset with the reset (all) zone and finish zone operations.\n\n - Modify blkdev_report_zones() to always use the disk_report_zones_cb()\n callback so that disk_zone_wplug_sync_wp_offset() can be called for\n any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag.\n This implements recovery of a correct write pointer offset for zone\n write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within\n the range of the report zones operation executed by the user.\n\n - Modify blk_revalidate_seq_zone() to call\n disk_zone_wplug_sync_wp_offset() for all sequential write required\n zones when a zoned block device is revalidated, thus always resolving\n any inconsistency between the write pointer offset of zone write\n plugs and the actual write pointer position of sequential zones.",
"id": "GHSA-6mfj-59wv-v5jx",
"modified": "2025-01-16T15:32:09Z",
"published": "2025-01-11T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55642"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7fa80134cf266325fa61139320091001c9b3c477"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe0418eb9bd69a19a948b297c8de815e05f3cde1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MVR-5CH7-JJJQ
Vulnerability from github – Published: 2026-02-14 15:32 – Updated: 2026-03-17 21:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dead lock while flushing management frames
Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario:
- a management frame is queued for transmission.
- ath12k_mac_op_flush() gets called to flush pending frames associated with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush() the process waits for the transmission done.
- Since wiphy lock has been taken by the flush process, the transmission work item has no chance to run, hence the dead lock.
From user view, this dead lock results in below issue:
wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticated wlp8s0: associate with xxxxxx (try 1/3) wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING) ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1
The dead lock can be avoided by invoking wiphy_work_flush() to proactively run the queued work item. Note actually it is already present in ath12k_mac_op_flush(), however it does not protect the case where vif being NULL. Hence move it ahead to cover this case as well.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
{
"affected": [],
"aliases": [
"CVE-2026-23130"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T15:16:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dead lock while flushing management frames\n\nCommit [1] converted the management transmission work item into a\nwiphy work. Since a wiphy work can only run under wiphy lock\nprotection, a race condition happens in below scenario:\n\n1. a management frame is queued for transmission.\n2. ath12k_mac_op_flush() gets called to flush pending frames associated\n with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()\n the process waits for the transmission done.\n3. Since wiphy lock has been taken by the flush process, the transmission\n work item has no chance to run, hence the dead lock.\n\n\u003eFrom user view, this dead lock results in below issue:\n\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticated\n wlp8s0: associate with xxxxxx (try 1/3)\n wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)\n ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1\n\nThe dead lock can be avoided by invoking wiphy_work_flush() to proactively\nrun the queued work item. Note actually it is already present in\nath12k_mac_op_flush(), however it does not protect the case where vif\nbeing NULL. Hence move it ahead to cover this case as well.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3",
"id": "GHSA-6mvr-5ch7-jjjq",
"modified": "2026-03-17T21:31:41Z",
"published": "2026-02-14T15:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23130"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06ac2aa13f701a0296e92f5f54ae24224d426b28"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f88e9fc30a261d63946ddc6cc6a33405e6aa27c3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Libraries or Frameworks
Use industry standard APIs to implement locking mechanism.
CAPEC-25: Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.