CVE-2025-21862

In the Linux kernel, the following vulnerability has been resolved:

drop_monitor: fix incorrect initialization order

Syzkaller reports the following bug:

BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .ownercpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x119/0x179 lib/dumpstack.c:118 debugspinlockbefore kernel/locking/spinlockdebug.c:83 [inline] dorawspinlock+0x1f6/0x270 kernel/locking/spinlockdebug.c:112 _rawspinlockirqsave include/linux/spinlockapismp.h:117 [inline] _rawspinlockirqsave+0x50/0x70 kernel/locking/spinlock.c:159 resetpercpudata+0xe6/0x240 [dropmonitor] netdmcmdtrace+0x43d/0x17a0 [dropmonitor] genlfamilyrcvmsgdoit+0x22f/0x330 net/netlink/genetlink.c:739 genlfamilyrcvmsg net/netlink/genetlink.c:783 [inline] genlrcvmsg+0x341/0x5a0 net/netlink/genetlink.c:800 netlinkrcvskb+0x14d/0x440 net/netlink/afnetlink.c:2497 genlrcv+0x29/0x40 net/netlink/genetlink.c:811 netlinkunicastkernel net/netlink/afnetlink.c:1322 [inline] netlinkunicast+0x54b/0x800 net/netlink/afnetlink.c:1348 netlinksendmsg+0x914/0xe00 net/netlink/afnetlink.c:1916 socksendmsgnosec net/socket.c:651 [inline] _socksendmsg+0x157/0x190 net/socket.c:663 syssendmsg+0x712/0x870 net/socket.c:2378 _syssendmsg+0xf8/0x170 net/socket.c:2432 _syssendmsg+0xea/0x1b0 net/socket.c:2461 dosyscall64+0x30/0x40 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768

If dropmonitor is built as a kernel module, syzkaller may have time to send a netlink NETDMCMDSTART message during the module loading. This will call the netdmmonitor_start() function that uses a spinlock that has not yet been initialized.

To fix this, let's place resource initialization above the registration of a generic netlink family.

Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.