fkie_cve-2025-38244
Vulnerability from fkie_nvd
Published
2025-07-09 11:15
Modified
2025-07-10 13:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order and prevent the following deadlock from happening ====================================================== WARNING: possible circular locking dependency detected 6.16.0-rc3-build2+ #1301 Tainted: G S W ------------------------------------------------------ cifsd/6055 is trying to acquire lock: ffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200 but task is already holding lock: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&ret_buf->chan_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_setup_session+0x81/0x4b0 cifs_get_smb_ses+0x771/0x900 cifs_mount_get_session+0x7e/0x170 cifs_mount+0x92/0x2d0 cifs_smb3_do_mount+0x161/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&ret_buf->ses_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_match_super+0x101/0x320 sget+0xab/0x270 cifs_smb3_do_mount+0x1e0/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}: check_noncircular+0x95/0xc0 check_prev_add+0x115/0x2f0 validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_signal_cifsd_for_reconnect+0x134/0x200 __cifs_reconnect+0x8f/0x500 cifs_handle_standard+0x112/0x280 cifs_demultiplex_thread+0x64d/0xbc0 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: &tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ret_buf->chan_lock); lock(&ret_buf->ses_lock); lock(&ret_buf->chan_lock); lock(&tcp_ses->srv_lock); *** DEADLOCK *** 3 locks held by cifsd/6055: #0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200 #1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200 #2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/711741f94ac3cf9f4e3aa73aa171e76d188c0819
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7f3ead8ebc0ef65b6c89a13912b4e80218425629
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c82c7041258d96e3286f6790ab700e4edd3cc9e3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fe035dc78aa6ca8f862857d45beaf7a0e03206ca
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when reconnecting channels\n\nFix cifs_signal_cifsd_for_reconnect() to take the correct lock order\nand prevent the following deadlock from happening\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.16.0-rc3-build2+ #1301 Tainted: G S      W\n------------------------------------------------------\ncifsd/6055 is trying to acquire lock:\nffff88810ad56038 (\u0026tcp_ses-\u003esrv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200\n\nbut task is already holding lock:\nffff888119c64330 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}:\n       validate_chain+0x1cf/0x270\n       __lock_acquire+0x60e/0x780\n       lock_acquire.part.0+0xb4/0x1f0\n       _raw_spin_lock+0x2f/0x40\n       cifs_setup_session+0x81/0x4b0\n       cifs_get_smb_ses+0x771/0x900\n       cifs_mount_get_session+0x7e/0x170\n       cifs_mount+0x92/0x2d0\n       cifs_smb3_do_mount+0x161/0x460\n       smb3_get_tree+0x55/0x90\n       vfs_get_tree+0x46/0x180\n       do_new_mount+0x1b0/0x2e0\n       path_mount+0x6ee/0x740\n       do_mount+0x98/0xe0\n       __do_sys_mount+0x148/0x180\n       do_syscall_64+0xa4/0x260\n       entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-\u003e #1 (\u0026ret_buf-\u003eses_lock){+.+.}-{3:3}:\n       validate_chain+0x1cf/0x270\n       __lock_acquire+0x60e/0x780\n       lock_acquire.part.0+0xb4/0x1f0\n       _raw_spin_lock+0x2f/0x40\n       cifs_match_super+0x101/0x320\n       sget+0xab/0x270\n       cifs_smb3_do_mount+0x1e0/0x460\n       smb3_get_tree+0x55/0x90\n       vfs_get_tree+0x46/0x180\n       do_new_mount+0x1b0/0x2e0\n       path_mount+0x6ee/0x740\n       do_mount+0x98/0xe0\n       __do_sys_mount+0x148/0x180\n       do_syscall_64+0xa4/0x260\n       entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-\u003e #0 (\u0026tcp_ses-\u003esrv_lock){+.+.}-{3:3}:\n       check_noncircular+0x95/0xc0\n       check_prev_add+0x115/0x2f0\n       validate_chain+0x1cf/0x270\n       __lock_acquire+0x60e/0x780\n       lock_acquire.part.0+0xb4/0x1f0\n       _raw_spin_lock+0x2f/0x40\n       cifs_signal_cifsd_for_reconnect+0x134/0x200\n       __cifs_reconnect+0x8f/0x500\n       cifs_handle_standard+0x112/0x280\n       cifs_demultiplex_thread+0x64d/0xbc0\n       kthread+0x2f7/0x310\n       ret_from_fork+0x2a/0x230\n       ret_from_fork_asm+0x1a/0x30\n\nother info that might help us debug this:\n\nChain exists of:\n  \u0026tcp_ses-\u003esrv_lock --\u003e \u0026ret_buf-\u003eses_lock --\u003e \u0026ret_buf-\u003echan_lock\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(\u0026ret_buf-\u003echan_lock);\n                               lock(\u0026ret_buf-\u003eses_lock);\n                               lock(\u0026ret_buf-\u003echan_lock);\n  lock(\u0026tcp_ses-\u003esrv_lock);\n\n *** DEADLOCK ***\n\n3 locks held by cifsd/6055:\n #0: ffffffff857de398 (\u0026cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200\n #1: ffff888119c64060 (\u0026ret_buf-\u003eses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200\n #2: ffff888119c64330 (\u0026ret_buf-\u003echan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: se corrige un posible bloqueo al reconectar canales Se corrige cifs_signal_cifsd_for_reconnect() para que adopte el orden de bloqueo correcto y evite que se produzca el siguiente bloqueo ========================================================= ADVERTENCIA: se detect\u00f3 una posible dependencia de bloqueo circular 6.16.0-rc3-build2+ #1301 Tainted: G S W ------------------------------------------------------ cifsd/6055 is trying to acquire lock: ffff88810ad56038 (\u0026amp;tcp_ses-\u0026gt;srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200 but task is already holding lock: ffff888119c64330 (\u0026amp;ret_buf-\u0026gt;chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -\u0026gt; #2 (\u0026amp;ret_buf-\u0026gt;chan_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_setup_session+0x81/0x4b0 cifs_get_smb_ses+0x771/0x900 cifs_mount_get_session+0x7e/0x170 cifs_mount+0x92/0x2d0 cifs_smb3_do_mount+0x161/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -\u0026gt; #1 (\u0026amp;ret_buf-\u0026gt;ses_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_match_super+0x101/0x320 sget+0xab/0x270 cifs_smb3_do_mount+0x1e0/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -\u0026gt; #0 (\u0026amp;tcp_ses-\u0026gt;srv_lock){+.+.}-{3:3}: check_noncircular+0x95/0xc0 check_prev_add+0x115/0x2f0 validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_signal_cifsd_for_reconnect+0x134/0x200 __cifs_reconnect+0x8f/0x500 cifs_handle_standard+0x112/0x280 cifs_demultiplex_thread+0x64d/0xbc0 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: \u0026amp;tcp_ses-\u0026gt;srv_lock --\u0026gt; \u0026amp;ret_buf-\u0026gt;ses_lock --\u0026gt; \u0026amp;ret_buf-\u0026gt;chan_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(\u0026amp;ret_buf-\u0026gt;chan_lock); lock(\u0026amp;ret_buf-\u0026gt;ses_lock); lock(\u0026amp;ret_buf-\u0026gt;chan_lock); lock(\u0026amp;tcp_ses-\u0026gt;srv_lock); *** DEADLOCK *** 3 locks held by cifsd/6055: #0: ffffffff857de398 (\u0026amp;cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200 #1: ffff888119c64060 (\u0026amp;ret_buf-\u0026gt;ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200 #2: ffff888119c64330 (\u0026amp;ret_buf-\u0026gt;chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 "
    }
  ],
  "id": "CVE-2025-38244",
  "lastModified": "2025-07-10T13:17:30.017",
  "metrics": {},
  "published": "2025-07-09T11:15:26.480",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/711741f94ac3cf9f4e3aa73aa171e76d188c0819"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7f3ead8ebc0ef65b6c89a13912b4e80218425629"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c82c7041258d96e3286f6790ab700e4edd3cc9e3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fe035dc78aa6ca8f862857d45beaf7a0e03206ca"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.