CVE-2025-40231

Linux Kernel - Deadlock via vsock_assign_transport Lock Inversion

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().

Scores

EPSS 0.0018
EPSS Percentile 7.6%

Details

Status published
Products (29)
linux/Kernel < 5.10.246linux
linux/Kernel 5.11.0 - 5.15.196linux
linux/Kernel 5.16.0 - 6.1.158linux
linux/Kernel 6.13.0 - 6.17.6linux
linux/Kernel 6.2.0 - 6.6.115linux
linux/Kernel 6.7.0 - 6.12.56linux
Linux/Linux < 6.16
Linux/Linux 36a439049b34cca0b3661276049b84a1f76cc21a - 09bba278ccde25a14b6e5088a9e65a8717d0cccf
Linux/Linux 5.10.240 - 5.10.246
Linux/Linux 5.10.246 - 5.10.*
... and 19 more
Published Dec 04, 2025
Tracked Since Feb 18, 2026