{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T07:54:51.493","vulnerabilities":[{"cve":{"id":"CVE-2025-22111","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T15:16:05.347","lastModified":"2026-01-19T13:16:07.750","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet's say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device's refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device.  Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n  Thread A (SIOCBRDELIF)           Thread B (SIOCBRDELBR)\n  ----------------------           ----------------------\n  sock_ioctl                       sock_ioctl\n  `- sock_do_ioctl                 `- br_ioctl_call\n     `- dev_ioctl                     `- br_ioctl_stub\n        |- rtnl_lock                     |\n        |- dev_ifsioc                    '\n        '  |- dev = __dev_get_by_name(...)\n           |- netdev_hold(dev, ...)      .\n       \/   |- rtnl_unlock  ------.       |\n       |   |- br_ioctl_call       `--->  |- rtnl_lock\n  Race |   |  `- br_ioctl_stub           |- br_del_bridge\n  Window   |     |                       |  |- dev = __dev_get_by_name(...)\n       |   |     |  May take long        |  `- br_dev_delete(dev, ...)\n       |   |     |  under RTNL pressure  |     `- unregister_netdevice_queue(dev, ...)\n       |   |     |               |       `- rtnl_unlock\n       \\   |     |- rtnl_lock  <-'          `- netdev_run_todo\n           |     |- ...                        `- netdev_run_todo\n           |     `- rtnl_unlock                   |- __rtnl_unlock\n           |                                      |- netdev_wait_allrefs_any\n           |- netdev_put(dev, ...)  <----------------'\n                                                Wait refcnt decrement\n                                                and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let's not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n  1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n  2. Check CAP_NET_ADMIN in dev_ioctl()\n  3. Call dev_load() in dev_ioctl()\n  4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it's better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1\/1 users at\n     __netdev_tracker_alloc include\/linux\/netdevice.h:4282 [inline]\n     netdev_hold include\/linux\/netdevice.h:4311 [inline]\n     dev_ifsioc+0xc6a\/0x1160 net\/core\/dev_ioctl.c:624\n     dev_ioctl+0x255\/0x10c0 net\/core\/dev_ioctl.c:826\n     sock_do_ioctl+0x1ca\/0x260 net\/socket.c:1213\n     sock_ioctl+0x23a\/0x6c0 net\/socket.c:1318\n     vfs_ioctl fs\/ioctl.c:51 [inline]\n     __do_sys_ioctl fs\/ioctl.c:906 [inline]\n     __se_sys_ioctl fs\/ioctl.c:892 [inline]\n     __x64_sys_ioctl+0x1a4\/0x210 fs\/ioctl.c:892\n     do_syscall_x64 arch\/x86\/entry\/common.c:52 [inline]\n     do_syscall_64+0xcb\/0x250 arch\/x86\/entry\/common.c:83\n     entry_SYSCALL_64_after_hwframe+0x77\/0x7f"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: Eliminación del movimiento RTNL para SIOCBRADDIF y SIOCBRDELIF. SIOCBRDELIF se pasa primero a dev_ioctl() y luego a br_ioctl_call(), lo que provoca un movimiento RTNL innecesario y el splat debajo de [0] bajo presión RTNL. Supongamos que el subproceso A intenta desconectar un dispositivo de un puente y el subproceso B intenta eliminar el puente. En dev_ioctl(), el subproceso A aumenta el refcnt del dispositivo puente mediante netdev_hold() y libera RTNL porque el subproceso br_ioctl_call() también vuelve a adquirir RTNL. En la ventana de ejecución, el subproceso B podría adquirir RTNL e intentar eliminar el dispositivo puente. Luego, rtnl_unlock() del subproceso B liberará RTNL y esperará a netdev_put() del subproceso A. Sin embargo, el subproceso A debe mantener RTNL después del desbloqueo en dev_ifsioc(), lo que puede tardar mucho bajo la presión de RTNL, lo que resulta en el splat del subproceso B. Subproceso A (SIOCBRDELIF) Subproceso B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . \/ |- rtnl_unlock ------. | | |- br_ioctl_call `---&gt; |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Ventana | | | |- dev = __dev_get_by_name(...) | | | Puede tomar mucho tiempo | `- br_dev_delete(dev, ...) | | | bajo presión RTNL | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \\ | |- rtnl_lock &lt;-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) &lt;----------------' Espere la disminución de refcnt y registre splat a continuación Para evitar bloquear SIOCBRDELBR innecesariamente, no llamemos a dev_ioctl() para SIOCBRADDIF y SIOCBRDELIF. En la ruta dev_ioctl(), hacemos lo siguiente: 1. Copiar struct ifreq por get_user_ifreq en sock_do_ioctl() 2. Verificar CAP_NET_ADMIN en dev_ioctl() 3. Llamar a dev_load() en dev_ioctl() 4. Obtener el dev maestro de ifr.ifr_name en dev_ifsioc() 3. se puede hacer por request_module() en br_ioctl_call(), por lo que movemos 1., 2. y 4. a br_ioctl_stub(). Tenga en cuenta que 2. también se verifica más adelante en add_del_if(), pero se realiza mejor antes de RTNL. SIOCBRADDIF y SIOCBRDELIF se han procesado en dev_ioctl() desde la era anterior a Git, y no parece haber una razón específica para procesarlos allí. [0]: unregister_netdevice: esperando a que wpan3 quede libre. Recuento de uso = 2 ref_tracker: wpan3@ffff8880662d8608 tiene 1\/1 usuarios en __netdev_tracker_alloc include\/linux\/netdevice.h:4282 [en línea] netdev_hold include\/linux\/netdevice.h:4311 [en línea] dev_ifsioc+0xc6a\/0x1160 net\/core\/dev_ioctl.c:624 dev_ioctl+0x255\/0x10c0 net\/core\/dev_ioctl.c:826 sock_do_ioctl+0x1ca\/0x260 net\/socket.c:1213 sock_ioctl+0x23a\/0x6c0 net\/socket.c:1318 vfs_ioctl fs\/ioctl.c:51 [en línea] __do_sys_ioctl fs\/ioctl.c:906 [en línea] __se_sys_ioctl fs\/ioctl.c:892 [en línea] __x64_sys_ioctl+0x1a4\/0x210 fs\/ioctl.c:892 do_syscall_x64 arch\/x86\/entry\/common.c:52 [en línea] do_syscall_64+0xcb\/0x250 arch\/x86\/entry\/common.c:83 entry_SYSCALL_64_after_hwframe+0x77\/0x7f"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.14.2","matchCriteriaId":"62F7E4C5-AD41-48D0-96D6-27105CC06826"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/00fe0ac64efd1f5373b3dd9f1f84b19235371e39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/338a0f3c66aef4ee13052880d02200aae8f2d8a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https:\/\/git.kernel.org\/stable\/c\/4888e1dcc341e9a132ef7b8516234b3c3296de56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https:\/\/git.kernel.org\/stable\/c\/d767ce15045df510f55cdd2af5df0eee71f928d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https:\/\/git.kernel.org\/stable\/c\/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/f51e471cb1577d510c3096e126678e1ea20d2efd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}