net/rds: Fix circular locking dependency in rds_tcp_tune_CVE-2026-23419

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: Fix circular locking dependency in rds_tcp_tune

syzbot reported a circular locking dependency in rds_tcp_tune() where
sk_net_refcnt_upgrade() is called while holding the socket lock:

======================================================
WARNING: possible circular locking dependency detected
======================================================
kworker/u10:8/15040 is trying to acquire lock:
ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},
at: __kmalloc_cache_noprof+0x4b/0x6f0

but task is already holding lock:
ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},
at: rds_tcp_tune+0xd7/0x930

The issue occurs because sk_net_refcnt_upgrade() performs memory
allocation (via get_net_track() -> ref_tracker_alloc()) while the
socket lock is held, creating a circular dependency with fs_reclaim.

Fix this by moving sk_net_refcnt_upgrade() outside the socket lock
critical section. This is safe because the fields modified by the
sk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not
accessed by any concurrent code path at this point.

v2:
- Corrected fixes tag
- check patch line wrap nits
- ai commentary nits

Basic Information

ID CVE-2026-23419

Source Linux

Published Apr 3, 2026 at 13:24

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version 3a58f13a881ed351198ffab4cf9953cf19d2ab3a

Affected Versions Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a
Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a
Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a
Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a
Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a
Linux Linux 2a6efabed754c9dcf27e6def71317b374f58a852
Linux Linux 5.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: Fix circular locking dependency in rds_tcp_tune\n\nsyzbot reported a circular locking dependency in rds_tcp_tune() where\nsk_net_refcnt_upgrade() is called while holding the socket lock:\n\n======================================================\nWARNING: possible circular locking dependency detected\n======================================================\nkworker/u10:8/15040 is trying to acquire lock:\nffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},\nat: __kmalloc_cache_noprof+0x4b/0x6f0\n\nbut task is already holding lock:\nffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},\nat: rds_tcp_tune+0xd7/0x930\n\nThe issue occurs because sk_net_refcnt_upgrade() performs memory\nallocation (via get_net_track() -> ref_tracker_alloc()) while the\nsocket lock is held, creating a circular dependency with fs_reclaim.\n\nFix this by moving sk_net_refcnt_upgrade() outside the socket lock\ncritical section. This is safe because the fields modified by the\nsk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not\naccessed by any concurrent code path at this point.\n\nv2:\n  - Corrected fixes tag\n  - check patch line wrap nits\n  - ai commentary nits",
    "published": "2026-04-03T13:24:23.958Z",
    "modified": "2026-04-27T14:02:15.157Z",
    "type": "cve",
    "title": "net/rds: Fix circular locking dependency in rds_tcp_tune",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/8babb271403378ba6836f6c8599c5313d0e2355d\nhttps://git.kernel.org/stable/c/8519e6883a942e510f33a0e634e27bcc3a844a40\nhttps://git.kernel.org/stable/c/6ce948fa54599f369ff7fe8b793a6aae4b0762b2\nhttps://git.kernel.org/stable/c/026bbaeeab9e04534ee58882b6447300629b42f6\nhttps://git.kernel.org/stable/c/6a877ececd6daa002a9a0002cd0fbca6592a9244",
    "id": "CVE-2026-23419",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a\nLinux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a\nLinux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a\nLinux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a\nLinux Linux 3a58f13a881ed351198ffab4cf9953cf19d2ab3a\nLinux Linux 2a6efabed754c9dcf27e6def71317b374f58a852\nLinux Linux 5.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "3a58f13a881ed351198ffab4cf9953cf19d2ab3a",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply