Home

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow: enabling_bearer | disabling_bearer --------------- | ---------------- tipc_disc_timeout() | { | bearer_disable() ... | { schedule_work(&tn->work); | tipc_mon_delete() ... | { } | ... | write_lock_bh(&mon->lock); | mon->self = NULL; | write_unlock_bh(&mon->lock); | ... | } tipc_net_finalize_work() | } { | ... | tipc_net_finalize() | { | ... | tipc_mon_reinit_self() | { | ... | write_lock_bh(&mon->lock); | mon->self->addr = tipc_own_addr(net); | write_unlock_bh(&mon->lock); | ... ---truncated---

PUBLISHED Reserved 2025-04-16 | Published 2025-05-08 | Updated 2026-05-23 | Assigner Linux

Product status

Default status
unaffected

28845c28f842e9e55e75b2c116bff714bb039055 (git) before a3df56010403b2cd26388096ebccf959d23c4dcc
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before e6613b6d41f4010c4d484cbc7bfca690d8d522a2
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before 5fd464fd24de93d0eca377554bf0ff2548f76f30
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before e79e8e05aa46f90d21023f0ffe6f136ed6a20932
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before dd6cb0a8575b00fbd503e96903184125176f4fa3
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before 0ceef62a328ce1288598c9242576292671f21e96
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before 4d5e1e2d3e9d70beff7beab44fd6ce91405a405e
affected

46cb01eeeb86fca6afe24dda1167b0cb95424e29 (git) before d63527e109e811ef11abb1c2985048fdb528b4cb
affected

295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 (git)
affected

5.4.15 (semver) before 5.4.293
affected

4.19.99 (semver) before 4.20
affected

Default status
affected

5.5
affected

Any version before 5.5
unaffected

5.4.293 (semver)
unaffected

5.10.237 (semver)
unaffected

5.15.181 (semver)
unaffected

6.1.136 (semver)
unaffected

6.6.89 (semver)
unaffected

6.12.26 (semver)
unaffected

6.14.5 (semver)
unaffected

6.15 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/05/msg00045.html

lists.debian.org/debian-lts-announce/2025/05/msg00030.html

git.kernel.org/...c/a3df56010403b2cd26388096ebccf959d23c4dcc

git.kernel.org/...c/e6613b6d41f4010c4d484cbc7bfca690d8d522a2

git.kernel.org/...c/5fd464fd24de93d0eca377554bf0ff2548f76f30

git.kernel.org/...c/e79e8e05aa46f90d21023f0ffe6f136ed6a20932

git.kernel.org/...c/dd6cb0a8575b00fbd503e96903184125176f4fa3

git.kernel.org/...c/0ceef62a328ce1288598c9242576292671f21e96

git.kernel.org/...c/4d5e1e2d3e9d70beff7beab44fd6ce91405a405e

git.kernel.org/...c/d63527e109e811ef11abb1c2985048fdb528b4cb

cve.org (CVE-2025-37824)

nvd.nist.gov (CVE-2025-37824)

Download JSON