CVE-2025-21986 (GCVE-0-2025-21986)
Vulnerability from cvelistv5
Published
2025-04-01 15:47
Modified
2025-05-04 13:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event. In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1]. Specifically, this can happen when the bridge driver processes a SWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdev_deferred_process(). Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in call_switchdev_blocking_notifiers() to make sure this is not violated in the future. Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block. [1]: WARNING: possible recursive locking detected 6.14.0-rc4-custom-g079270089484 #1 Not tainted -------------------------------------------- ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 but task is already holding lock: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock((switchdev_blocking_notif_chain).rwsem); lock((switchdev_blocking_notif_chain).rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 stack backtrace: ... ? __pfx_down_read+0x10/0x10 ? __pfx_mark_lock+0x10/0x10 ? __pfx_switchdev_port_attr_set_deferred+0x10/0x10 blocking_notifier_call_chain+0x58/0xa0 switchdev_port_attr_notify.constprop.0+0xb3/0x1b0 ? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10 ? mark_held_locks+0x94/0xe0 ? switchdev_deferred_process+0x11a/0x340 switchdev_port_attr_set_deferred+0x27/0xd0 switchdev_deferred_process+0x164/0x340 br_switchdev_port_unoffload+0xc8/0x100 [bridge] br_switchdev_blocking_event+0x29f/0x580 [bridge] notifier_call_chain+0xa2/0x440 blocking_notifier_call_chain+0x6e/0xa0 switchdev_bridge_port_unoffload+0xde/0x1a0 ...
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8
Impacted products
Vendor Product Version
Linux Linux Version: 91ac2c79e896b28a4a3a262384689ee6dfeaf083
Version: a83856bd0c240267a86ce3388f3437d6ba5ac5ca
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: f7a70d650b0b6b0134ccba763d672c8439d9f09b
Version: a7589eca09929c3cc2a62950ef7f40bcc58afe3a
 Create a notification for this product.
   Linux Linux Version: 6.8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/switchdev/switchdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "af757f5ee3f754c5dceefb05c12ff37cb46fc682",
              "status": "affected",
              "version": "91ac2c79e896b28a4a3a262384689ee6dfeaf083",
              "versionType": "git"
            },
            {
              "lessThan": "1f7d051814e7a0cb1f0717ed5527c1059992129d",
              "status": "affected",
              "version": "a83856bd0c240267a86ce3388f3437d6ba5ac5ca",
              "versionType": "git"
            },
            {
              "lessThan": "a597d4b75669ec82c72cbee9fe75a15d04b35b2b",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "lessThan": "f9ed3fb50b872bd78bcb01f25087f9e4e25085d8",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "lessThan": "62531a1effa87bdab12d5104015af72e60d926ff",
              "status": "affected",
              "version": "f7a70d650b0b6b0134ccba763d672c8439d9f09b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a7589eca09929c3cc2a62950ef7f40bcc58afe3a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/switchdev/switchdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: switchdev: Convert blocking notification chain to a raw one\n\nA blocking notification chain uses a read-write semaphore to protect the\nintegrity of the chain. The semaphore is acquired for writing when\nadding / removing notifiers to / from the chain and acquired for reading\nwhen traversing the chain and informing notifiers about an event.\n\nIn case of the blocking switchdev notification chain, recursive\nnotifications are possible which leads to the semaphore being acquired\ntwice for reading and to lockdep warnings being generated [1].\n\nSpecifically, this can happen when the bridge driver processes a\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\nabout deferred events when calling switchdev_deferred_process().\n\nFix this by converting the notification chain to a raw notification\nchain in a similar fashion to the netdev notification chain. Protect\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\nEvents are always informed under the RTNL mutex, but add an assertion in\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\nthe future.\n\nMaintain the \"blocking\" prefix as events are always emitted from process\ncontext and listeners are allowed to block.\n\n[1]:\nWARNING: possible recursive locking detected\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\n--------------------------------------------\nip/52731 is trying to acquire lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nbut task is already holding lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0\n----\nlock((switchdev_blocking_notif_chain).rwsem);\nlock((switchdev_blocking_notif_chain).rwsem);\n\n*** DEADLOCK ***\nMay be due to missing lock nesting notation\n3 locks held by ip/52731:\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\n #1: ffffffff8731f628 (\u0026net-\u003ertnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nstack backtrace:\n...\n? __pfx_down_read+0x10/0x10\n? __pfx_mark_lock+0x10/0x10\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\nblocking_notifier_call_chain+0x58/0xa0\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\n? mark_held_locks+0x94/0xe0\n? switchdev_deferred_process+0x11a/0x340\nswitchdev_port_attr_set_deferred+0x27/0xd0\nswitchdev_deferred_process+0x164/0x340\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\nnotifier_call_chain+0xa2/0x440\nblocking_notifier_call_chain+0x6e/0xa0\nswitchdev_bridge_port_unoffload+0xde/0x1a0\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:50.853Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff"
        }
      ],
      "title": "net: switchdev: Convert blocking notification chain to a raw one",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21986",
    "datePublished": "2025-04-01T15:47:12.636Z",
    "dateReserved": "2024-12-29T08:45:45.800Z",
    "dateUpdated": "2025-05-04T13:06:50.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21986\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:30.010\",\"lastModified\":\"2025-04-01T20:26:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: switchdev: Convert blocking notification chain to a raw one\\n\\nA blocking notification chain uses a read-write semaphore to protect the\\nintegrity of the chain. The semaphore is acquired for writing when\\nadding / removing notifiers to / from the chain and acquired for reading\\nwhen traversing the chain and informing notifiers about an event.\\n\\nIn case of the blocking switchdev notification chain, recursive\\nnotifications are possible which leads to the semaphore being acquired\\ntwice for reading and to lockdep warnings being generated [1].\\n\\nSpecifically, this can happen when the bridge driver processes a\\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\\nabout deferred events when calling switchdev_deferred_process().\\n\\nFix this by converting the notification chain to a raw notification\\nchain in a similar fashion to the netdev notification chain. Protect\\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\\nEvents are always informed under the RTNL mutex, but add an assertion in\\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\\nthe future.\\n\\nMaintain the \\\"blocking\\\" prefix as events are always emitted from process\\ncontext and listeners are allowed to block.\\n\\n[1]:\\nWARNING: possible recursive locking detected\\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\\n--------------------------------------------\\nip/52731 is trying to acquire lock:\\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nbut task is already holding lock:\\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nother info that might help us debug this:\\nPossible unsafe locking scenario:\\nCPU0\\n----\\nlock((switchdev_blocking_notif_chain).rwsem);\\nlock((switchdev_blocking_notif_chain).rwsem);\\n\\n*** DEADLOCK ***\\nMay be due to missing lock nesting notation\\n3 locks held by ip/52731:\\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\\n #1: ffffffff8731f628 (\u0026net-\u003ertnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\\n\\nstack backtrace:\\n...\\n? __pfx_down_read+0x10/0x10\\n? __pfx_mark_lock+0x10/0x10\\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\\nblocking_notifier_call_chain+0x58/0xa0\\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\\n? mark_held_locks+0x94/0xe0\\n? switchdev_deferred_process+0x11a/0x340\\nswitchdev_port_attr_set_deferred+0x27/0xd0\\nswitchdev_deferred_process+0x164/0x340\\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\\nnotifier_call_chain+0xa2/0x440\\nblocking_notifier_call_chain+0x6e/0xa0\\nswitchdev_bridge_port_unoffload+0xde/0x1a0\\n...\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1f7d051814e7a0cb1f0717ed5527c1059992129d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/62531a1effa87bdab12d5104015af72e60d926ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a597d4b75669ec82c72cbee9fe75a15d04b35b2b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af757f5ee3f754c5dceefb05c12ff37cb46fc682\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9ed3fb50b872bd78bcb01f25087f9e4e25085d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.