{"id":"CVE-2025-37824","summary":"tipc: fix NULL pointer dereference in tipc_mon_reinit_self()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL pointer dereference in tipc_mon_reinit_self()\n\nsyzbot reported:\n\ntipc: Node number set to 1055423674\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: events tipc_net_finalize_work\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n...\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nThere is a racing condition between workqueue created when enabling\nbearer and another thread created when disabling bearer right after\nthat as follow:\n\nenabling_bearer                          | disabling_bearer\n---------------                          | ----------------\ntipc_disc_timeout()                      |\n{                                        | bearer_disable()\n ...                                     | {\n schedule_work(&tn-\u003ework);               |  tipc_mon_delete()\n ...                                     |  {\n}                                        |   ...\n                                         |   write_lock_bh(&mon-\u003elock);\n                                         |   mon-\u003eself = NULL;\n                                         |   write_unlock_bh(&mon-\u003elock);\n                                         |   ...\n                                         |  }\ntipc_net_finalize_work()                 | }\n{                                        |\n ...                                     |\n tipc_net_finalize()                     |\n {                                       |\n  ...                                    |\n  tipc_mon_reinit_self()                 |\n  {                                      |\n   ...                                   |\n   write_lock_bh(&mon-\u003elock);            |\n   mon-\u003eself-\u003eaddr = tipc_own_addr(net); |\n   write_unlock_bh(&mon-\u003elock);          |\n   ...             \n---truncated---","modified":"2026-04-16T04:35:53.484501167Z","published":"2025-05-08T06:26:17.476Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37824.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ceef62a328ce1288598c9242576292671f21e96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4d5e1e2d3e9d70beff7beab44fd6ce91405a405e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5fd464fd24de93d0eca377554bf0ff2548f76f30"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a3df56010403b2cd26388096ebccf959d23c4dcc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d63527e109e811ef11abb1c2985048fdb528b4cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd6cb0a8575b00fbd503e96903184125176f4fa3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6613b6d41f4010c4d484cbc7bfca690d8d522a2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e79e8e05aa46f90d21023f0ffe6f136ed6a20932"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37824.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37824"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"28845c28f842e9e55e75b2c116bff714bb039055"},{"fixed":"a3df56010403b2cd26388096ebccf959d23c4dcc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"46cb01eeeb86fca6afe24dda1167b0cb95424e29"},{"fixed":"e6613b6d41f4010c4d484cbc7bfca690d8d522a2"},{"fixed":"5fd464fd24de93d0eca377554bf0ff2548f76f30"},{"fixed":"e79e8e05aa46f90d21023f0ffe6f136ed6a20932"},{"fixed":"dd6cb0a8575b00fbd503e96903184125176f4fa3"},{"fixed":"0ceef62a328ce1288598c9242576292671f21e96"},{"fixed":"4d5e1e2d3e9d70beff7beab44fd6ce91405a405e"},{"fixed":"d63527e109e811ef11abb1c2985048fdb528b4cb"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"295c9b554f6dfcd2d368fae6e6fa22ee5b79c123"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37824.json"}}],"schema_version":"1.7.5"}