ghsa-rmcq-9vcc-9423
Vulnerability from github
Published
2025-09-23 06:30
Modified
2025-09-23 06:30
Details

In the Linux kernel, the following vulnerability has been resolved:

macsec: sync features on RTM_NEWLINK

Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:

netdev_lock include/linux/netdevice.h:2761 [inline] netdev_lock_ops include/net/netdev_lock.h:42 [inline] netdev_sync_lower_features net/core/dev.c:10649 [inline] __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819 netdev_update_features+0x6d/0xe0 net/core/dev.c:10876 macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline] call_netdevice_notifiers net/core/dev.c:2281 [inline] netdev_features_change+0x85/0xc0 net/core/dev.c:1570 __dev_ethtool net/ethtool/ioctl.c:3469 [inline] dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502 dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759

It happens because lower features are out of sync with the upper:

__dev_ethtool (real_dev) netdev_lock_ops(real_dev) ETHTOOL_SFEATURES __netdev_features_change netdev_sync_upper_features disable LRO on the lower if (old_features != dev->features) netdev_features_change fires NETDEV_FEAT_CHANGE macsec_notify NETDEV_FEAT_CHANGE netdev_update_features (for each macsec dev) netdev_sync_lower_features if (upper_features != lower_features) netdev_lock_ops(lower) # lower == real_dev stuck ...

netdev_unlock_ops(real_dev)

Per commit af5f54b0ef9e ("net: Lock lower level devices when updating features"), we elide the lock/unlock when the upper and lower features are synced. Makes sure the lower (real_dev) has proper features after the macsec link has been created. This makes sure we never hit the situation where we need to sync upper flags to the lower.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39874"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T06:15:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: sync features on RTM_NEWLINK\n\nSyzkaller managed to lock the lower device via ETHTOOL_SFEATURES:\n\n netdev_lock include/linux/netdevice.h:2761 [inline]\n netdev_lock_ops include/net/netdev_lock.h:42 [inline]\n netdev_sync_lower_features net/core/dev.c:10649 [inline]\n __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819\n netdev_update_features+0x6d/0xe0 net/core/dev.c:10876\n macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]\n call_netdevice_notifiers net/core/dev.c:2281 [inline]\n netdev_features_change+0x85/0xc0 net/core/dev.c:1570\n __dev_ethtool net/ethtool/ioctl.c:3469 [inline]\n dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502\n dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759\n\nIt happens because lower features are out of sync with the upper:\n\n  __dev_ethtool (real_dev)\n    netdev_lock_ops(real_dev)\n    ETHTOOL_SFEATURES\n      __netdev_features_change\n        netdev_sync_upper_features\n          disable LRO on the lower\n    if (old_features != dev-\u003efeatures)\n      netdev_features_change\n        fires NETDEV_FEAT_CHANGE\n\tmacsec_notify\n\t  NETDEV_FEAT_CHANGE\n\t    netdev_update_features (for each macsec dev)\n\t      netdev_sync_lower_features\n\t        if (upper_features != lower_features)\n\t          netdev_lock_ops(lower) # lower == real_dev\n\t\t  stuck\n\t\t  ...\n\n    netdev_unlock_ops(real_dev)\n\nPer commit af5f54b0ef9e (\"net: Lock lower level devices when updating\nfeatures\"), we elide the lock/unlock when the upper and lower features\nare synced. Makes sure the lower (real_dev) has proper features after\nthe macsec link has been created. This makes sure we never hit the\nsituation where we need to sync upper flags to the lower.",
  "id": "GHSA-rmcq-9vcc-9423",
  "modified": "2025-09-23T06:30:27Z",
  "published": "2025-09-23T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39874"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f82c3ba66c6b2e3cde0f255156a753b108ee9dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7624629ccf47135c65fef0701fa0d9a115b87f3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.