cve/published/2025/CVE-2025-21701.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21701: net: avoid race between device unregistration and ethnl ops

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: avoid race between device unregistration and ethnl ops

 The following trace can be seen if a device is being unregistered while
 its number of channels are being modified.

   DEBUG_LOCKS_WARN_ON(lock->magic != lock)
   WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120
   CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771
   RIP: 0010:__mutex_lock+0xc8a/0x1120
   Call Trace:
    <TASK>
    ethtool_check_max_channel+0x1ea/0x880
    ethnl_set_channels+0x3c3/0xb10
    ethnl_default_set_doit+0x306/0x650
    genl_family_rcv_msg_doit+0x1e3/0x2c0
    genl_rcv_msg+0x432/0x6f0
    netlink_rcv_skb+0x13d/0x3b0
    genl_rcv+0x28/0x40
    netlink_unicast+0x42e/0x720
    netlink_sendmsg+0x765/0xc20
    __sys_sendto+0x3ac/0x420
    __x64_sys_sendto+0xe0/0x1c0
    do_syscall_64+0x95/0x180
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

 This is because unregister_netdevice_many_notify might run before the
 rtnl lock section of ethnl operations, eg. set_channels in the above
 example. In this example the rss lock would be destroyed by the device
 unregistration path before being used again, but in general running
 ethnl operations while dismantle has started is not a good idea.

 Fix this by denying any operation on devices being unregistered. A check
 was already there in ethnl_ops_begin, but not wide enough.

 Note that the same issue cannot be seen on the ioctl version
 (__dev_ethtool) because the device reference is retrieved from within
 the rtnl lock section there. Once dismantle started, the net device is
 unlisted and no reference will be found.

 The Linux kernel CVE team has assigned CVE-2025-21701 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.8 with commit cfd719f04267108f5f5bf802b9d7de69e99a99f9 and fixed in 5.15.179 with commit 26bc6076798aa4dc83a07d0a386f9e57c94e8517
 	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.1.129 with commit b1cb37a31a482df3dd35a6ac166282dac47664f4
 	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.6.76 with commit 2f29127e94ae9fdc7497331003d6860e9551cdf3
 	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.12.13 with commit b382ab9b885cbb665e0e70a727f101c981b4edf3
 	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.13.2 with commit 4dc880245f9b529fa8f476b5553c799d2848b47b
 	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.14 with commit 12e070eb6964b341b41677fd260af5a305316a1f
 	Issue introduced in 5.10.87 with commit 7c26da3be1e9843a15b5318f90db8a564479d2ac

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21701
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ethtool/netlink.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517
 	https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4
 	https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3
 	https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3
 	https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b
 	https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21701: net: avoid race between device unregistration and ethnl ops

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: avoid race between device unregistration and ethnl ops

	The following trace can be seen if a device is being unregistered while
	its number of channels are being modified.

	DEBUG_LOCKS_WARN_ON(lock->magic != lock)
	WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120
	CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771
	RIP: 0010:__mutex_lock+0xc8a/0x1120
	Call Trace:
	<TASK>
	ethtool_check_max_channel+0x1ea/0x880
	ethnl_set_channels+0x3c3/0xb10
	ethnl_default_set_doit+0x306/0x650
	genl_family_rcv_msg_doit+0x1e3/0x2c0
	genl_rcv_msg+0x432/0x6f0
	netlink_rcv_skb+0x13d/0x3b0
	genl_rcv+0x28/0x40
	netlink_unicast+0x42e/0x720
	netlink_sendmsg+0x765/0xc20
	__sys_sendto+0x3ac/0x420
	__x64_sys_sendto+0xe0/0x1c0
	do_syscall_64+0x95/0x180
	entry_SYSCALL_64_after_hwframe+0x76/0x7e

	This is because unregister_netdevice_many_notify might run before the
	rtnl lock section of ethnl operations, eg. set_channels in the above
	example. In this example the rss lock would be destroyed by the device
	unregistration path before being used again, but in general running
	ethnl operations while dismantle has started is not a good idea.

	Fix this by denying any operation on devices being unregistered. A check
	was already there in ethnl_ops_begin, but not wide enough.

	Note that the same issue cannot be seen on the ioctl version
	(__dev_ethtool) because the device reference is retrieved from within
	the rtnl lock section there. Once dismantle started, the net device is
	unlisted and no reference will be found.

	The Linux kernel CVE team has assigned CVE-2025-21701 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.8 with commit cfd719f04267108f5f5bf802b9d7de69e99a99f9 and fixed in 5.15.179 with commit 26bc6076798aa4dc83a07d0a386f9e57c94e8517
	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.1.129 with commit b1cb37a31a482df3dd35a6ac166282dac47664f4
	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.6.76 with commit 2f29127e94ae9fdc7497331003d6860e9551cdf3
	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.12.13 with commit b382ab9b885cbb665e0e70a727f101c981b4edf3
	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.13.2 with commit 4dc880245f9b529fa8f476b5553c799d2848b47b
	Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.14 with commit 12e070eb6964b341b41677fd260af5a305316a1f
	Issue introduced in 5.10.87 with commit 7c26da3be1e9843a15b5318f90db8a564479d2ac

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21701
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ethtool/netlink.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517
	https://git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4
	https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3
	https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3
	https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b
	https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f