CVE-2025-21986 (GCVE-0-2025-21986)
Vulnerability from cvelistv5
Published
2025-04-01 15:47
Modified
2025-05-04 13:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event. In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1]. Specifically, this can happen when the bridge driver processes a SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdev_deferred_process(). Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in call_switchdev_blocking_notifiers() to make sure this is not violated in the future. Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block. [1]: WARNING: possible recursive locking detected 6.14.0-rc4-custom-g079270089484 #1 Not tainted -------------------------------------------- ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 but task is already holding lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); lock((switchdev_blocking_notif_chain).rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ...
References
Impacted products
Vendor Product Version
Linux Linux Version: 91ac2c79e896b28a4a3a262384689ee6dfeaf083
Version: a83856bd0c240267a86ce3388f3437d6ba5ac5ca
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: a7589eca09929c3cc2a62950ef7f40bcc58afe3a
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/switchdev/switchdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "af757f5ee3f754c5dceefb05c12ff37cb46fc682",
              "status": "affected",
              "version": "91ac2c79e896b28a4a3a262384689ee6dfeaf083",
              "versionType": "git"
            },
            {
              "lessThan": "1f7d051814e7a0cb1f0717ed5527c1059992129d",
              "status": "affected",
              "version": "a83856bd0c240267a86ce3388f3437d6ba5ac5ca",
              "versionType": "git"
            },
            {
              "lessThan": "a597d4b75669ec82c72cbee9fe75a15d04b35b2b",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "lessThan": "f9ed3fb50b872bd78bcb01f25087f9e4e25085d8",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "lessThan": "62531a1effa87bdab12d5104015af72e60d926ff",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a7589eca09929c3cc2a62950ef7f40bcc58afe3a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/switchdev/switchdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: switchdev: Convert blocking notification chain to a raw one\n\nA blocking notification chain uses a read-write semaphore to protect the\nintegrity of the chain. The semaphore is acquired for writing when\nadding / removing notifiers to / from the chain and acquired for reading\nwhen traversing the chain and informing notifiers about an event.\n\nIn case of the blocking switchdev notification chain, recursive\nnotifications are possible which leads to the semaphore being acquired\ntwice for reading and to lockdep warnings being generated [1].\n\nSpecifically, this can happen when the bridge driver processes a\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\nabout deferred events when calling switchdev_deferred_process().\n\nFix this by converting the notification chain to a raw notification\nchain in a similar fashion to the netdev notification chain. Protect\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\nEvents are always informed under the RTNL mutex, but add an assertion in\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\nthe future.\n\nMaintain the \"blocking\" prefix as events are always emitted from process\ncontext and listeners are allowed to block.\n\n[1]:\nWARNING: possible recursive locking detected\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\n--------------------------------------------\nip/52731 is trying to acquire lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nbut task is already holding lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0\n----\nlock((switchdev_blocking_notif_chain).rwsem);\nlock((switchdev_blocking_notif_chain).rwsem);\n\n*** DEADLOCK ***\nMay be due to missing lock nesting notation\n3 locks held by ip/52731:\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\n #1: ffffffff8731f628 (\u0026net-\u003ertnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nstack backtrace:\n...\n? __pfx_down_read+0x10/0x10\n? __pfx_mark_lock+0x10/0x10\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\nblocking_notifier_call_chain+0x58/0xa0\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\n? mark_held_locks+0x94/0xe0\n? switchdev_deferred_process+0x11a/0x340\nswitchdev_port_attr_set_deferred+0x27/0xd0\nswitchdev_deferred_process+0x164/0x340\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\nnotifier_call_chain+0xa2/0x440\nblocking_notifier_call_chain+0x6e/0xa0\nswitchdev_bridge_port_unoffload+0xde/0x1a0\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:50.853Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff"
        }
      ],
      "title": "net: switchdev: Convert blocking notification chain to a raw one",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21986",
    "datePublished": "2025-04-01T15:47:12.636Z",
    "dateReserved": "2024-12-29T08:45:45.800Z",
    "dateUpdated": "2025-05-04T13:06:50.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21986\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:30.010\",\"lastModified\":\"2025-04-01T20:26:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: switchdev: Convert blocking notification chain to a raw one\\n\\nA blocking notification chain uses a read-write semaphore to protect the\\nintegrity of the chain. The semaphore is acquired for writing when\\nadding / removing notifiers to / from the chain and acquired for reading\\nwhen traversing the chain and informing notifiers about an event.\\n\\nIn case of the blocking switchdev notification chain, recursive\\nnotifications are possible which leads to the semaphore being acquired\\ntwice for reading and to lockdep warnings being generated [1].\\n\\nSpecifically, this can happen when the bridge driver processes a\\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\\nabout deferred events when calling switchdev_deferred_process().\\n\\nFix this by converting the notification chain to a raw notification\\nchain in a similar fashion to the netdev notification chain. Protect\\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\\nEvents are always informed under the RTNL mutex, but add an assertion in\\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\\nthe future.\\n\\nMaintain the \\\"blocking\\\" prefix as events are always emitted from process\\ncontext and listeners are allowed to block.\\n\\n[1]:\\nWARNING: possible recursive locking detected\\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\\n--------------------------------------------\\nip/52731 is trying to acquire lock:\\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nbut task is already holding lock:\\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nother info that might help us debug this:\\nPossible unsafe locking scenario:\\nCPU0\\n----\\nlock((switchdev_blocking_notif_chain).rwsem);\\nlock((switchdev_blocking_notif_chain).rwsem);\\n\\n*** DEADLOCK ***\\nMay be due to missing lock nesting notation\\n3 locks held by ip/52731:\\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\\n #1: ffffffff8731f628 (\u0026net-\u003ertnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nstack backtrace:\\n...\\n? __pfx_down_read+0x10/0x10\\n? __pfx_mark_lock+0x10/0x10\\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\\nblocking_notifier_call_chain+0x58/0xa0\\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\\n? mark_held_locks+0x94/0xe0\\n? switchdev_deferred_process+0x11a/0x340\\nswitchdev_port_attr_set_deferred+0x27/0xd0\\nswitchdev_deferred_process+0x164/0x340\\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\\nnotifier_call_chain+0xa2/0x440\\nblocking_notifier_call_chain+0x6e/0xa0\\nswitchdev_bridge_port_unoffload+0xde/0x1a0\\n...\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: switchdev: Convertir cadena de notificaci\u00f3n de bloqueo en una sin procesar Una cadena de notificaci\u00f3n de bloqueo utiliza un sem\u00e1foro de lectura y escritura para proteger la integridad de la cadena. El sem\u00e1foro se adquiere para escritura al agregar o quitar notificadores a o de la cadena y se adquiere para lectura al recorrer la cadena e informar a los notificadores sobre un evento. En el caso de la cadena de notificaci\u00f3n de bloqueo switchdev, son posibles las notificaciones recursivas, lo que lleva a que el sem\u00e1foro se adquiera dos veces para lectura y a que se generen advertencias de lockdep [1]. Espec\u00edficamente, esto puede suceder cuando el controlador del puente procesa un evento SWITCHDEV_BRPORT_UNOFFLOADED que hace que emita notificaciones sobre eventos diferidos al llamar a switchdev_deferred_process(). Corrija esto convirtiendo la cadena de notificaci\u00f3n en una cadena de notificaci\u00f3n sin procesar de manera similar a la cadena de notificaci\u00f3n netdev. Proteja la cadena usando el mutex RTNL adquiri\u00e9ndolo al modificar la cadena. Los eventos siempre se informan bajo el mutex RTNL, pero se debe a\u00f1adir una aserci\u00f3n en call_switchdev_blocking_notifiers() para garantizar que no se viole en el futuro. Mantenga el prefijo \\\"blocking\\\", ya que los eventos siempre se emiten desde el contexto del proceso y los oyentes pueden bloquearlos. [1]: ADVERTENCIA: posible bloqueo recursivo detectado 6.14.0-rc4-custom-g079270089484 #1 No contaminado -------------------------------------------- ip/52731 est\u00e1 intentando adquirir el bloqueo: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, en: blocking_notifier_call_chain+0x58/0xa0 pero la tarea ya tiene el bloqueo: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, en: blocking_notifier_call_chain+0x58/0xa0 otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); bloquear((switchdev_bloqueo_notificaci\u00f3n_cadena).rwsem); *** BLOQUEO INTERMEDIO *** Puede deberse a la falta de notaci\u00f3n de anidamiento de bloqueos. 3 bloqueos mantenidos por ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (\u0026amp;net-\u0026gt;rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ... \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.