Common Weakness Enumeration

CWE-667

Allowed-with-Review

Improper Locking

Abstraction: Class · Status: Draft

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

692 vulnerabilities reference this CWE, most recent first.

GHSA-WVMF-V9M3-RVRR

Vulnerability from github – Published: 2026-04-27 18:32 – Updated: 2026-05-06 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

gpio: omap: do not register driver in probe()

Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe().

However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held.

The latter was revealed by commit dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()") leading to a potential deadlock condition described in [1].

Additionally, the omap_mpuio_driver is never unregistered from the driver core, even if the module is unloaded.

Hence, register the omap_mpuio_driver from the module initcall and unregister it in module_exit().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T18:16:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: omap: do not register driver in probe()\n\nCommit 11a78b794496 (\"ARM: OMAP: MPUIO wake updates\") registers the\nomap_mpuio_driver from omap_mpuio_init(), which is called from\nomap_gpio_probe().\n\nHowever, it neither makes sense to register drivers from probe()\ncallbacks of other drivers, nor does the driver core allow registering\ndrivers with a device lock already being held.\n\nThe latter was revealed by commit dc23806a7c47 (\"driver core: enforce\ndevice_lock for driver_match_device()\") leading to a potential deadlock\ncondition described in [1].\n\nAdditionally, the omap_mpuio_driver is never unregistered from the\ndriver core, even if the module is unloaded.\n\nHence, register the omap_mpuio_driver from the module initcall and\nunregister it in module_exit().",
  "id": "GHSA-wvmf-v9m3-rvrr",
  "modified": "2026-05-06T21:31:30Z",
  "published": "2026-04-27T18:32:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31687"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03db4dc9ad6eb91e640b517e00373ce877682854"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c04c3a4de8d4bcb9202f94c44f26c57c2572308"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2211d77892913804d16c28c7415b82804ab1e54c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32f08c3ddd6dda6cbb6c9d715de10f21dccde50f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53a76425e0764421ba93bb9045d2e454667d5687"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57bcd3feffa79544c73a1a1872472389a391cc79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/673dafb9a86349a12a93151fd467625614dc7e12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/730e5ebff40c852e3ea57b71bf02a4b89c69435f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/86588916e1887a5edb8a9161cd7ae81e47a7ed25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a29215961d833f4de33a09c3964d31ebc6083033"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7fa9460b86f810913b6779461d0448e7c11214c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW57-48HQ-5W83

Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: tegra: Do not mark ACPI devices as irq safe

On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
...

Call trace:
__might_sleep
__mutex_lock_common
mutex_lock_nested
acpi_subsys_runtime_resume
rpm_resume
tegra_i2c_xfer

The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error.

To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T16:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: Do not mark ACPI devices as irq safe\n\nOn ACPI machines, the tegra i2c module encounters an issue due to a\nmutex being called inside a spinlock. This leads to the following bug:\n\n\tBUG: sleeping function called from invalid context at kernel/locking/mutex.c:585\n\t...\n\n\tCall trace:\n\t__might_sleep\n\t__mutex_lock_common\n\tmutex_lock_nested\n\tacpi_subsys_runtime_resume\n\trpm_resume\n\ttegra_i2c_xfer\n\nThe problem arises because during __pm_runtime_resume(), the spinlock\n\u0026dev-\u003epower.lock is acquired before rpm_resume() is called. Later,\nrpm_resume() invokes acpi_subsys_runtime_resume(), which relies on\nmutexes, triggering the error.\n\nTo address this issue, devices on ACPI are now marked as not IRQ-safe,\nconsidering the dependency of acpi_subsys_runtime_resume() on mutexes.",
  "id": "GHSA-ww57-48hq-5w83",
  "modified": "2025-11-04T00:31:23Z",
  "published": "2024-09-11T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45029"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14d069d92951a3e150c0a81f2ca3b93e54da913b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2853e1376d8161b04c9ff18ba82b43f08a049905"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6861faf4232e4b78878f2de1ed3ee324ddae2287"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a89aef1e6cc43fa019a58080ed05c839e6c77876"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW84-GXQ7-G6HV

Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-01-16 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: iso: Fix circular lock in iso_conn_big_sync

This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is always released before calling a function that locks hdev.

[ 561.670344] ====================================================== [ 561.670346] WARNING: possible circular locking dependency detected [ 561.670349] 6.12.0-rc6+ #26 Not tainted [ 561.670351] ------------------------------------------------------ [ 561.670353] iso-tester/3289 is trying to acquire lock: [ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, at: iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670405] but task is already holding lock: [ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] [ 561.670450] which lock already depends on the new lock.

[ 561.670452] the existing dependency chain (in reverse order) is: [ 561.670453] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 561.670458] lock_acquire+0x7c/0xc0 [ 561.670463] lock_sock_nested+0x3b/0xf0 [ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] [ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] [ 561.670547] do_accept+0x3dd/0x610 [ 561.670550] __sys_accept4+0xd8/0x170 [ 561.670553] __x64_sys_accept+0x74/0xc0 [ 561.670556] x64_sys_call+0x17d6/0x25f0 [ 561.670559] do_syscall_64+0x87/0x150 [ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670567] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: [ 561.670571] lock_acquire+0x7c/0xc0 [ 561.670574] lock_sock_nested+0x3b/0xf0 [ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] [ 561.670617] __sys_listen_socket+0xef/0x130 [ 561.670620] __x64_sys_listen+0xe1/0x190 [ 561.670623] x64_sys_call+0x2517/0x25f0 [ 561.670626] do_syscall_64+0x87/0x150 [ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670632] -> #0 (&hdev->lock){+.+.}-{3:3}: [ 561.670636] __lock_acquire+0x32ad/0x6ab0 [ 561.670639] lock_acquire.part.0+0x118/0x360 [ 561.670642] lock_acquire+0x7c/0xc0 [ 561.670644] __mutex_lock+0x18d/0x12f0 [ 561.670647] mutex_lock_nested+0x1b/0x30 [ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] [ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] [ 561.670722] sock_recvmsg+0x1d5/0x240 [ 561.670725] sock_read_iter+0x27d/0x470 [ 561.670727] vfs_read+0x9a0/0xd30 [ 561.670731] ksys_read+0x1a8/0x250 [ 561.670733] __x64_sys_read+0x72/0xc0 [ 561.670736] x64_sys_call+0x1b12/0x25f0 [ 561.670738] do_syscall_64+0x87/0x150 [ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 561.670744] other info that might help us debug this:

[ 561.670745] Chain exists of: &hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH

[ 561.670751] Possible unsafe locking scenario:

[ 561.670753] CPU0 CPU1 [ 561.670754] ---- ---- [ 561.670756] lock(sk_lock-AF_BLUETOOTH); [ 561.670758] lock(sk_lock AF_BLUETOOTH-BTPROTO_ISO); [ 561.670761] lock(sk_lock-AF_BLUETOOTH); [ 561.670764] lock(&hdev->lock); [ 561.670767] *** DEADLOCK ***

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T13:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[  561.670344] ======================================================\n[  561.670346] WARNING: possible circular locking dependency detected\n[  561.670349] 6.12.0-rc6+ #26 Not tainted\n[  561.670351] ------------------------------------------------------\n[  561.670353] iso-tester/3289 is trying to acquire lock:\n[  561.670355] ffff88811f600078 (\u0026hdev-\u003elock){+.+.}-{3:3},\n               at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670405]\n               but task is already holding lock:\n[  561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n               at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[  561.670450]\n               which lock already depends on the new lock.\n\n[  561.670452]\n               the existing dependency chain (in reverse order) is:\n[  561.670453]\n               -\u003e #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[  561.670458]        lock_acquire+0x7c/0xc0\n[  561.670463]        lock_sock_nested+0x3b/0xf0\n[  561.670467]        bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[  561.670510]        iso_sock_accept+0x271/0x830 [bluetooth]\n[  561.670547]        do_accept+0x3dd/0x610\n[  561.670550]        __sys_accept4+0xd8/0x170\n[  561.670553]        __x64_sys_accept+0x74/0xc0\n[  561.670556]        x64_sys_call+0x17d6/0x25f0\n[  561.670559]        do_syscall_64+0x87/0x150\n[  561.670563]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670567]\n               -\u003e #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[  561.670571]        lock_acquire+0x7c/0xc0\n[  561.670574]        lock_sock_nested+0x3b/0xf0\n[  561.670577]        iso_sock_listen+0x2de/0xf30 [bluetooth]\n[  561.670617]        __sys_listen_socket+0xef/0x130\n[  561.670620]        __x64_sys_listen+0xe1/0x190\n[  561.670623]        x64_sys_call+0x2517/0x25f0\n[  561.670626]        do_syscall_64+0x87/0x150\n[  561.670629]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670632]\n               -\u003e #0 (\u0026hdev-\u003elock){+.+.}-{3:3}:\n[  561.670636]        __lock_acquire+0x32ad/0x6ab0\n[  561.670639]        lock_acquire.part.0+0x118/0x360\n[  561.670642]        lock_acquire+0x7c/0xc0\n[  561.670644]        __mutex_lock+0x18d/0x12f0\n[  561.670647]        mutex_lock_nested+0x1b/0x30\n[  561.670651]        iso_conn_big_sync+0x73/0x260 [bluetooth]\n[  561.670687]        iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[  561.670722]        sock_recvmsg+0x1d5/0x240\n[  561.670725]        sock_read_iter+0x27d/0x470\n[  561.670727]        vfs_read+0x9a0/0xd30\n[  561.670731]        ksys_read+0x1a8/0x250\n[  561.670733]        __x64_sys_read+0x72/0xc0\n[  561.670736]        x64_sys_call+0x1b12/0x25f0\n[  561.670738]        do_syscall_64+0x87/0x150\n[  561.670741]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  561.670744]\n               other info that might help us debug this:\n\n[  561.670745] Chain exists of:\n\u0026hdev-\u003elock --\u003e sk_lock-AF_BLUETOOTH-BTPROTO_ISO --\u003e sk_lock-AF_BLUETOOTH\n\n[  561.670751]  Possible unsafe locking scenario:\n\n[  561.670753]        CPU0                    CPU1\n[  561.670754]        ----                    ----\n[  561.670756]   lock(sk_lock-AF_BLUETOOTH);\n[  561.670758]                                lock(sk_lock\n                                              AF_BLUETOOTH-BTPROTO_ISO);\n[  561.670761]                                lock(sk_lock-AF_BLUETOOTH);\n[  561.670764]   lock(\u0026hdev-\u003elock);\n[  561.670767]\n                *** DEADLOCK ***",
  "id": "GHSA-ww84-gxq7-g6hv",
  "modified": "2025-01-16T18:30:59Z",
  "published": "2025-01-11T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54191"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a17308c17880d259105f6e591eb1bc77b9612f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbe640d6cae590b9a7d81ce86fe9a90e83eec1d5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX95-Q6GV-QPP4

Vulnerability from github – Published: 2024-07-05 09:33 – Updated: 2024-07-08 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING

Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"")

However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can't issue from raid5d().

Current implementation in raid5d() has a weird dependence:

1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;

This behaviour is introduce before v2.6, and for consequence, if other context hold 'reconfig_mutex', and md_check_recovery() can't update super_block, then raid5d() will waste one cpu 100% by the deadloop, until 'reconfig_mutex' is released.

Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' is released. Meanwhile, the hang problem will be fixed as well.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-05T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can\u0027t issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold \u0027reconfig_mutex\u0027 to clear\n   MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold \u0027reconfig_mutex\u0027, and md_check_recovery() can\u0027t update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n\u0027reconfig_mutex\u0027 is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when \u0027reconfig_mutex\u0027\nis released. Meanwhile, the hang problem will be fixed as well.",
  "id": "GHSA-wx95-q6gv-qpp4",
  "modified": "2024-07-08T18:31:16Z",
  "published": "2024-07-05T09:33:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39476"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/098d54934814dd876963abfe751c3b1cf7fbe56a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f8d5e802d4cedd445f9a89be8c3fd2d0e99024b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/634ba3c97ec413cb10681c7b196db43ee461ecf4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa64464c8f4d2ab92f6d0b959a1e0767b829d787"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b32aa95843cac6b12c2c014d40fca18aef24a347"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd2538e5af495b3c747e503db346470fc1ffc447"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e332a12f65d8fed8cf63bedb4e9317bb872b9ac7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X244-GJJ6-JC73

Vulnerability from github – Published: 2026-04-03 15:30 – Updated: 2026-04-24 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: Fix circular locking dependency in rds_tcp_tune

syzbot reported a circular locking dependency in rds_tcp_tune() where sk_net_refcnt_upgrade() is called while holding the socket lock:

====================================================== WARNING: possible circular locking dependency detected ====================================================== kworker/u10:8/15040 is trying to acquire lock: ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0}, at: __kmalloc_cache_noprof+0x4b/0x6f0

but task is already holding lock: ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: rds_tcp_tune+0xd7/0x930

The issue occurs because sk_net_refcnt_upgrade() performs memory allocation (via get_net_track() -> ref_tracker_alloc()) while the socket lock is held, creating a circular dependency with fs_reclaim.

Fix this by moving sk_net_refcnt_upgrade() outside the socket lock critical section. This is safe because the fields modified by the sk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not accessed by any concurrent code path at this point.

v2: - Corrected fixes tag - check patch line wrap nits - ai commentary nits

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T14:16:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: Fix circular locking dependency in rds_tcp_tune\n\nsyzbot reported a circular locking dependency in rds_tcp_tune() where\nsk_net_refcnt_upgrade() is called while holding the socket lock:\n\n======================================================\nWARNING: possible circular locking dependency detected\n======================================================\nkworker/u10:8/15040 is trying to acquire lock:\nffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},\nat: __kmalloc_cache_noprof+0x4b/0x6f0\n\nbut task is already holding lock:\nffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},\nat: rds_tcp_tune+0xd7/0x930\n\nThe issue occurs because sk_net_refcnt_upgrade() performs memory\nallocation (via get_net_track() -\u003e ref_tracker_alloc()) while the\nsocket lock is held, creating a circular dependency with fs_reclaim.\n\nFix this by moving sk_net_refcnt_upgrade() outside the socket lock\ncritical section. This is safe because the fields modified by the\nsk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not\naccessed by any concurrent code path at this point.\n\nv2:\n  - Corrected fixes tag\n  - check patch line wrap nits\n  - ai commentary nits",
  "id": "GHSA-x244-gjj6-jc73",
  "modified": "2026-04-24T15:32:21Z",
  "published": "2026-04-03T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23419"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/026bbaeeab9e04534ee58882b6447300629b42f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a877ececd6daa002a9a0002cd0fbca6592a9244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ce948fa54599f369ff7fe8b793a6aae4b0762b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8519e6883a942e510f33a0e634e27bcc3a844a40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8babb271403378ba6836f6c8599c5313d0e2355d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2MC-JWGP-H2FQ

Vulnerability from github – Published: 2024-03-01 00:30 – Updated: 2025-01-09 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mtd: require write permissions for locking and badblock ioctls

MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once.

MEMSETBADBLOCK modifies the bad block table.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T23:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: require write permissions for locking and badblock ioctls\n\nMEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require\nwrite permission. Depending on the hardware MEMLOCK might even be\nwrite-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK\nis always write-once.\n\nMEMSETBADBLOCK modifies the bad block table.",
  "id": "GHSA-x2mc-jwgp-h2fq",
  "modified": "2025-01-09T18:32:06Z",
  "published": "2024-03-01T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47055"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/077259f5e777c3c8821f6b41dee709fcda27306b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e97743fd180981bef5f01402342bb54bf1c6366"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5880afefe0cb9b2d5e801816acd58bfe91a96981"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75ed985bd6c8ac1d4e673e93ea9d96c9908c1d37"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b6552719c0ccbbea29dde4be141da54fdb5877e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9625b00cac6630479c0ff4b9fafa88bee636e1f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a08799d3e8c8088640956237c183f83463c39668"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4d28d8b9b0e7c4ae04214b8d7e0b0466ec6bcaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f73b29819c6314c0ba8b7d5892dfb03487424bee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X33W-8476-HWM3

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: fix circular locking dependency in nci_close_device

nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too:

nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)

Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN.

NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:49Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n  nci_rx_work -\u003e nci_rx_data_packet -\u003e nci_data_exchange_complete\n    -\u003e __sk_destruct -\u003e rawsock_destruct -\u003e nfc_deactivate_target\n    -\u003e nci_deactivate_target -\u003e nci_request -\u003e mutex_lock(\u0026ndev-\u003ereq_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs.",
  "id": "GHSA-x33w-8476-hwm3",
  "modified": "2026-04-28T15:30:47Z",
  "published": "2026-04-22T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31509"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3R6-6FXJ-5F4R

Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: Fix hardware lockup on first Rx endpoint request

There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls):

req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300)

According to the docstring of usb_ep_queue(), this should not happen:

"Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations."

In fact, a hardware lockup might occur in the following sequence:

  1. The gadget is initialized using musb_gadget_enable().
  2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an interrupt.
  3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an empty queue (next_request() returns NULL). The interrupt flag has already been cleared by the glue layer handler, but the RXPKTRDY flag remains set.
  4. The first request is enqueued using usb_ep_queue(), leading to the call of req->complete(), as shown in the call trace above.
  5. If the callback enables IRQs and another packet is waiting, step (3) repeats. The request queue is empty because usb_g_giveback() removes the request before invoking the callback.
  6. The endpoint remains locked up, as the interrupt triggered by hardware setting the RXPKTRDY flag has been handled, but the flag itself remains set.

For this scenario to occur, it is only necessary for IRQs to be enabled at some point during the complete callback. This happens with the USB Ethernet gadget, whose rx_complete() callback calls netif_rx(). If called in the task context, netif_rx() disables the bottom halves (BHs). When the BHs are re-enabled, IRQs are also enabled to allow soft IRQs to be processed. The gadget itself is initialized at module load (or at boot if built-in), but the first request is enqueued when the network interface is brought up, triggering rx_complete() in the task context via ioctl(). If a packet arrives while the interface is down, it can prevent the interface from receiving any further packets from the USB host.

The situation is quite complicated with many parties involved. This particular issue can be resolved in several possible ways:

  1. Ensure that callbacks never enable IRQs. This would be difficult to enforce, as discovering how netif_rx() interacts with interrupts was already quite challenging and u_ether is not the only function driver. Similar "bugs" could be hidden in other drivers as well.
  2. Disable MUSB interrupts in musb_g_giveback() before calling the callback and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(), for example). This would ensure that MUSB interrupts are not handled during the callback, even if IRQs are enabled. In fact, it would allow IRQs to be enabled when releasing the lock. However, this feels like an inelegant hack.
  3. Modify the interrupt handler to clear the RXPKTRDY flag if the request queue is empty. While this approach also feels like a hack, it wastes CPU time by attempting to handle incoming packets when the software is not ready to process them.
  4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart(). This ensures that the hardware can receive packets when there is at least one request in the queue. Once I ---truncated---
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T10:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: Fix hardware lockup on first Rx endpoint request\n\nThere is a possibility that a request\u0027s callback could be invoked from\nusb_ep_queue() (call trace below, supplemented with missing calls):\n\nreq-\u003ecomplete from usb_gadget_giveback_request\n\t(drivers/usb/gadget/udc/core.c:999)\nusb_gadget_giveback_request from musb_g_giveback\n\t(drivers/usb/musb/musb_gadget.c:147)\nmusb_g_giveback from rxstate\n\t(drivers/usb/musb/musb_gadget.c:784)\nrxstate from musb_ep_restart\n\t(drivers/usb/musb/musb_gadget.c:1169)\nmusb_ep_restart from musb_ep_restart_resume_work\n\t(drivers/usb/musb/musb_gadget.c:1176)\nmusb_ep_restart_resume_work from musb_queue_resume_work\n\t(drivers/usb/musb/musb_core.c:2279)\nmusb_queue_resume_work from musb_gadget_queue\n\t(drivers/usb/musb/musb_gadget.c:1241)\nmusb_gadget_queue from usb_ep_queue\n\t(drivers/usb/gadget/udc/core.c:300)\n\nAccording to the docstring of usb_ep_queue(), this should not happen:\n\n\"Note that @req\u0027s -\u003ecomplete() callback must never be called from within\nusb_ep_queue() as that can create deadlock situations.\"\n\nIn fact, a hardware lockup might occur in the following sequence:\n\n1. The gadget is initialized using musb_gadget_enable().\n2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an\n   interrupt.\n3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an\n   empty queue (next_request() returns NULL). The interrupt flag has\n   already been cleared by the glue layer handler, but the RXPKTRDY flag\n   remains set.\n4. The first request is enqueued using usb_ep_queue(), leading to the call\n   of req-\u003ecomplete(), as shown in the call trace above.\n5. If the callback enables IRQs and another packet is waiting, step (3)\n   repeats. The request queue is empty because usb_g_giveback() removes the\n   request before invoking the callback.\n6. The endpoint remains locked up, as the interrupt triggered by hardware\n   setting the RXPKTRDY flag has been handled, but the flag itself remains\n   set.\n\nFor this scenario to occur, it is only necessary for IRQs to be enabled at\nsome point during the complete callback. This happens with the USB Ethernet\ngadget, whose rx_complete() callback calls netif_rx(). If called in the\ntask context, netif_rx() disables the bottom halves (BHs). When the BHs are\nre-enabled, IRQs are also enabled to allow soft IRQs to be processed. The\ngadget itself is initialized at module load (or at boot if built-in), but\nthe first request is enqueued when the network interface is brought up,\ntriggering rx_complete() in the task context via ioctl(). If a packet\narrives while the interface is down, it can prevent the interface from\nreceiving any further packets from the USB host.\n\nThe situation is quite complicated with many parties involved. This\nparticular issue can be resolved in several possible ways:\n\n1. Ensure that callbacks never enable IRQs. This would be difficult to\n   enforce, as discovering how netif_rx() interacts with interrupts was\n   already quite challenging and u_ether is not the only function driver.\n   Similar \"bugs\" could be hidden in other drivers as well.\n2. Disable MUSB interrupts in musb_g_giveback() before calling the callback\n   and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(),\n   for example). This would ensure that MUSB interrupts are not handled\n   during the callback, even if IRQs are enabled. In fact, it would allow\n   IRQs to be enabled when releasing the lock. However, this feels like an\n   inelegant hack.\n3. Modify the interrupt handler to clear the RXPKTRDY flag if the request\n   queue is empty. While this approach also feels like a hack, it wastes\n   CPU time by attempting to handle incoming packets when the software is\n   not ready to process them.\n4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart().\n   This ensures that the hardware can receive packets when there is at\n   least one request in the queue. Once I\n---truncated---",
  "id": "GHSA-x3r6-6fxj-5f4r",
  "modified": "2025-11-03T21:32:01Z",
  "published": "2024-12-28T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56687"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c89445e6d475b78d37b64ae520831cd43af7db4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3fc137386c4620305bbc2a216868c53f9245670a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5906ee3693674d734177df13a519a21bb03f730d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c749500b28cae67410792096133ee7f282439c51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f05ad9755bb294328c3d0f429164ac6d4d08c548"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3XP-7X67-4CX9

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-05 17:48
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()

syzbot reported a deadlock in lock_system_sleep() (see below).

The write operation to "/sys/module/hibernate/parameters/compressor" conflicts with the registration of ieee80211 device, resulting in a deadlock when attempting to acquire system_transition_mutex under param_lock.

To avoid this deadlock, change hibernate_compressor_param_set() to use mutex_trylock() for attempting to acquire system_transition_mutex and return -EBUSY when it fails.

Task flags need not be saved or adjusted before calling mutex_trylock(&system_transition_mutex) because the caller is not going to end up waiting for this mutex and if it runs concurrently with system suspend in progress, it will be frozen properly when it returns to user space.

syzbot report:

syz-executor895/5833 is trying to acquire lock: ffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56

but task is already holding lock: ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline] ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #3 (param_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730 ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline] rate_control_alloc net/mac80211/rate.c:266 [inline] ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015 ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531 mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558 init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910 do_one_initcall+0x128/0x700 init/main.c:1257 do_initcall_level init/main.c:1319 [inline] do_initcalls init/main.c:1335 [inline] do_basic_setup init/main.c:1354 [inline] kernel_init_freeable+0x5c7/0x900 init/main.c:1568 kernel_init+0x1c/0x2b0 init/main.c:1457 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #2 (rtnl_mutex){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730 wg_pm_notification drivers/net/wireguard/device.c:80 [inline] wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64 notifier_call_chain+0xb7/0x410 kernel/notifier.c:85 notifier_call_chain_robust kernel/notifier.c:120 [inline] blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline] blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333 pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102 snapshot_open+0x189/0x2b0 kernel/power/user.c:77 misc_open+0x35a/0x420 drivers/char/misc.c:179 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x735/0x1c40 fs/open.c:956 vfs_open+0x82/0x3f0 fs/open.c:1086 do_open fs/namei.c:3830 [inline] path_openat+0x1e88/0x2d80 fs/namei.c:3989 do_filp_open+0x20c/0x470 fs/namei.c:4016 do_sys_openat2+0x17a/0x1e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 ((pm_chain_head).rwsem){++++}-{4:4}: down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 blocking_notifier_call_chain_robust kerne ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T13:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: hibernate: Avoid deadlock in hibernate_compressor_param_set()\n\nsyzbot reported a deadlock in lock_system_sleep() (see below).\n\nThe write operation to \"/sys/module/hibernate/parameters/compressor\"\nconflicts with the registration of ieee80211 device, resulting in a deadlock\nwhen attempting to acquire system_transition_mutex under param_lock.\n\nTo avoid this deadlock, change hibernate_compressor_param_set() to use\nmutex_trylock() for attempting to acquire system_transition_mutex and\nreturn -EBUSY when it fails.\n\nTask flags need not be saved or adjusted before calling\nmutex_trylock(\u0026system_transition_mutex) because the caller is not going\nto end up waiting for this mutex and if it runs concurrently with system\nsuspend in progress, it will be frozen properly when it returns to user\nspace.\n\nsyzbot report:\n\nsyz-executor895/5833 is trying to acquire lock:\nffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56\n\nbut task is already holding lock:\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline]\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #3 (param_lock){+.+.}-{4:4}:\n       __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n       __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n       ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline]\n       rate_control_alloc net/mac80211/rate.c:266 [inline]\n       ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015\n       ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531\n       mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558\n       init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910\n       do_one_initcall+0x128/0x700 init/main.c:1257\n       do_initcall_level init/main.c:1319 [inline]\n       do_initcalls init/main.c:1335 [inline]\n       do_basic_setup init/main.c:1354 [inline]\n       kernel_init_freeable+0x5c7/0x900 init/main.c:1568\n       kernel_init+0x1c/0x2b0 init/main.c:1457\n       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148\n       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n-\u003e #2 (rtnl_mutex){+.+.}-{4:4}:\n       __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n       __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n       wg_pm_notification drivers/net/wireguard/device.c:80 [inline]\n       wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64\n       notifier_call_chain+0xb7/0x410 kernel/notifier.c:85\n       notifier_call_chain_robust kernel/notifier.c:120 [inline]\n       blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline]\n       blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333\n       pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102\n       snapshot_open+0x189/0x2b0 kernel/power/user.c:77\n       misc_open+0x35a/0x420 drivers/char/misc.c:179\n       chrdev_open+0x237/0x6a0 fs/char_dev.c:414\n       do_dentry_open+0x735/0x1c40 fs/open.c:956\n       vfs_open+0x82/0x3f0 fs/open.c:1086\n       do_open fs/namei.c:3830 [inline]\n       path_openat+0x1e88/0x2d80 fs/namei.c:3989\n       do_filp_open+0x20c/0x470 fs/namei.c:4016\n       do_sys_openat2+0x17a/0x1e0 fs/open.c:1428\n       do_sys_open fs/open.c:1443 [inline]\n       __do_sys_openat fs/open.c:1459 [inline]\n       __se_sys_openat fs/open.c:1454 [inline]\n       __x64_sys_openat+0x175/0x210 fs/open.c:1454\n       do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-\u003e #1 ((pm_chain_head).rwsem){++++}-{4:4}:\n       down_read+0x9a/0x330 kernel/locking/rwsem.c:1524\n       blocking_notifier_call_chain_robust kerne\n---truncated---",
  "id": "GHSA-x3xp-7x67-4cx9",
  "modified": "2025-11-05T17:48:22Z",
  "published": "2025-05-01T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37745"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/11ae4fec1f4b4ee06770a572c37d89cbaecbf66e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b2c3806ef4253595dfcb8b58352cfab55c9bfb0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52323ed1444ea5c2a5f1754ea0a2d9c8c216ccdf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6dbaa8583af74814a5aae03a337cb1722c414808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X465-6XX8-6H3C

Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2026-01-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: remove mutex_lock check in hfsplus_free_extents

Syzbot reported an issue in hfsplus filesystem:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 cont_expand_zero fs/buffer.c:2383 [inline] cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 notify_change+0xe38/0x10f0 fs/attr.c:420 do_truncate+0x1fb/0x2e0 fs/open.c:65 do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") unlock extree before hfsplus_free_extents(), and add check wheather extree is locked in hfsplus_free_extents().

However, when operations such as hfsplus_file_release, hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed concurrently in different files, it is very likely to trigger the WARN_ON, which will lead syzbot and xfstest to consider it as an abnormality.

The comment above this warning also describes one of the easy triggering situations, which can easily trigger and cause xfstest&syzbot to report errors.

[task A] [task B] ->hfsplus_file_release ->hfsplus_file_truncate ->hfs_find_init ->mutex_lock ->mutex_unlock ->hfsplus_write_begin ->hfsplus_get_block ->hfsplus_file_extend ->hfsplus_ext_read_extent ->hfs_find_init ->mutex_lock ->hfsplus_free_extents WARN_ON(mutex_is_locked) !!!

Several threads could try to lock the shared extents tree. And warning can be triggered in one thread when another thread has locked the tree. This is the wrong behavior of the code and we need to remove the warning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: remove mutex_lock check in hfsplus_free_extents\n\nSyzbot reported an issue in hfsplus filesystem:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346\n\thfsplus_free_extents+0x700/0xad0\nCall Trace:\n\u003cTASK\u003e\nhfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606\nhfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56\ncont_expand_zero fs/buffer.c:2383 [inline]\ncont_write_begin+0x2cf/0x860 fs/buffer.c:2446\nhfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52\ngeneric_cont_expand_simple+0x151/0x250 fs/buffer.c:2347\nhfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263\nnotify_change+0xe38/0x10f0 fs/attr.c:420\ndo_truncate+0x1fb/0x2e0 fs/open.c:65\ndo_sys_ftruncate+0x2eb/0x380 fs/open.c:193\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTo avoid deadlock, Commit 31651c607151 (\"hfsplus: avoid deadlock\non file truncation\") unlock extree before hfsplus_free_extents(),\nand add check wheather extree is locked in hfsplus_free_extents().\n\nHowever, when operations such as hfsplus_file_release,\nhfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed\nconcurrently in different files, it is very likely to trigger the\nWARN_ON, which will lead syzbot and xfstest to consider it as an\nabnormality.\n\nThe comment above this warning also describes one of the easy\ntriggering situations, which can easily trigger and cause\nxfstest\u0026syzbot to report errors.\n\n[task A]\t\t\t[task B]\n-\u003ehfsplus_file_release\n  -\u003ehfsplus_file_truncate\n    -\u003ehfs_find_init\n      -\u003emutex_lock\n    -\u003emutex_unlock\n\t\t\t\t-\u003ehfsplus_write_begin\n\t\t\t\t  -\u003ehfsplus_get_block\n\t\t\t\t    -\u003ehfsplus_file_extend\n\t\t\t\t      -\u003ehfsplus_ext_read_extent\n\t\t\t\t        -\u003ehfs_find_init\n\t\t\t\t\t  -\u003emutex_lock\n    -\u003ehfsplus_free_extents\n      WARN_ON(mutex_is_locked) !!!\n\nSeveral threads could try to lock the shared extents tree.\nAnd warning can be triggered in one thread when another thread\nhas locked the tree. This is the wrong behavior of the code and\nwe need to remove the warning.",
  "id": "GHSA-x465-6xx8-6h3c",
  "modified": "2026-01-07T18:30:21Z",
  "published": "2025-08-22T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38650"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0807e4ac59a546f2346961c5e26a98901594b205"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/084933961ecda7561dedfb78c4676ccb90c91ada"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14922f0cc92e010b160121679c0a6ca072f4e975"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/314310166ba1fdff7660dfd9d18ea42d7058f7ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5055b7db94110f228961dea6b74eed0a93a50b01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9764b8bb9f5f94df105cd2ac43829dd0d2c82b9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a19ce9230b22a0866313932e7964cf05557a6008"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fcb96956c921f1aae7e7b477f2435c56f77a31b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fdd6aca652122d6e97787e88d7dd53ddc8b74e7e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Strategy: Libraries or Frameworks

Use industry standard APIs to implement locking mechanism.

CAPEC-25: Forced Deadlock

The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.