{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T18:19:18.826","vulnerabilities":[{"cve":{"id":"CVE-2022-48719","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-06-20T11:15:55.470","lastModified":"2024-11-21T07:33:51.357","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work\n\nsyzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:\n\n kworker/0:16/14617 is trying to acquire lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n [...]\n but task is already holding lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572\n\nThe neighbor entry turned to NUD_FAILED state, where __neigh_event_send()\ntriggered an immediate probe as per commit cd28ca0a3dd1 (\"neigh: reduce\narp latency\") via neigh_probe() given table lock was held.\n\nOne option to fix this situation is to defer the neigh_probe() back to\nthe neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case\nof NTF_MANAGED, this deferral is acceptable given this only happens on\nactual failure state and regular / expected state is NUD_VALID with the\nentry already present.\n\nThe fix adds a parameter to __neigh_event_send() in order to communicate\nwhether immediate probe is allowed or disallowed. Existing call-sites\nof neigh_event_send() default as-is to immediate probe. However, the\nneigh_managed_work() disables it via use of neigh_event_send_probe().\n\n[0] \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]\n check_deadlock kernel/locking/lockdep.c:2999 [inline]\n validate_chain kernel/locking/lockdep.c:3788 [inline]\n __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027\n lock_acquire kernel/locking/lockdep.c:5639 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604\n __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]\n _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334\n ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123\n __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]\n __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170\n ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201\n NF_HOOK_COND include/linux/netfilter.h:296 [inline]\n ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224\n dst_output include/net/dst.h:451 [inline]\n NF_HOOK include/linux/netfilter.h:307 [inline]\n ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508\n ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650\n ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742\n neigh_probe+0xc2/0x110 net/core/neighbour.c:1040\n __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201\n neigh_event_send include/net/neighbour.h:470 [inline]\n neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574\n process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307\n worker_thread+0x657/0x1110 kernel/workqueue.c:2454\n kthread+0x2e9/0x3a0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n "},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net, neigh: no activar sondas inmediatas en NUD_FAILED desde neigh_managed_work syzkaller pudo activar un punto muerto para las entradas NTF_MANAGED [0]: kworker/0:16/14617 está intentando adquirir bloqueo: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, en: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 [...] pero la tarea ya mantiene el bloqueo: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, en: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572 La entrada del vecino pasó al estado NUD_FAILED, donde __neigh_event_send() desencadenó una Sondeo inmediato según el commit cd28ca0a3dd1 (\"relincho: reducir la latencia de arp\") a través de neigh_probe() dado que se mantuvo el bloqueo de la tabla. Una opción para solucionar esta situación es posponer neigh_probe() nuevamente a neigh_timer_handler() de manera similar a como se hacía antes de cd28ca0a3dd1. Para el caso de NTF_MANAGED, este aplazamiento es aceptable dado que esto solo ocurre en el estado de falla real y el estado normal/esperado es NUD_VALID con la entrada ya presente. La solución agrega un parámetro a __neigh_event_send() para comunicar si se permite o no la sonda inmediata. Los sitios de llamadas existentes de neigh_event_send() están predeterminados tal cual para la investigación inmediata. Sin embargo, neigh_managed_work() lo desactiva mediante el uso de neigh_event_send_probe(). [0] __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2956 [en línea] check_deadlock kernel/locking/lockdep.c :2999 [en línea] validar_chain kernel/locking/lockdep.c:3788 [en línea] __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 lock_acquire kernel/locking/lockdep.c:5639 [en línea] lock_acquire+0x1ab /0x510 kernel/locking/lockdep.c:5604 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [en línea] _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 ___neigh_create+0x9e1/0x2990 net/core/neighbour.c :652 ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 __ip6_finish_output net/ipv6/ip6_output.c:191 [en línea] __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 poner+0x32/0x200 neto/ ipv6/ip6_output.c:201 NF_HOOK_COND include/linux/netfilter.h:296 [en línea] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:451 [en línea] NF_HOOK include/ linux/netfilter.h:307 [en línea] ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c :742 neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 neigh_event_send include/net/neighbour.h:470 [en línea] neigh_managed_work+0x162/0x250 net/ core/neighbour.c:1574 Process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 trabajador_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/ x86/entry/entry_64.S:295 "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.8","matchCriteriaId":"0623892A-E3E4-44E6-8A5E-39A0B47AF782"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*","matchCriteriaId":"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*","matchCriteriaId":"E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/203a35ebb49cdce377416b0690215d3ce090d364","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/203a35ebb49cdce377416b0690215d3ce090d364","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}