{"id":"CVE-2025-22111","summary":"net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet's say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device's refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device.  Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n  Thread A (SIOCBRDELIF)           Thread B (SIOCBRDELBR)\n  ----------------------           ----------------------\n  sock_ioctl                       sock_ioctl\n  `- sock_do_ioctl                 `- br_ioctl_call\n     `- dev_ioctl                     `- br_ioctl_stub\n        |- rtnl_lock                     |\n        |- dev_ifsioc                    '\n        '  |- dev = __dev_get_by_name(...)\n           |- netdev_hold(dev, ...)      .\n       /   |- rtnl_unlock  ------.       |\n       |   |- br_ioctl_call       `---\u003e  |- rtnl_lock\n  Race |   |  `- br_ioctl_stub           |- br_del_bridge\n  Window   |     |                       |  |- dev = __dev_get_by_name(...)\n       |   |     |  May take long        |  `- br_dev_delete(dev, ...)\n       |   |     |  under RTNL pressure  |     `- unregister_netdevice_queue(dev, ...)\n       |   |     |               |       `- rtnl_unlock\n       \\   |     |- rtnl_lock  \u003c-'          `- netdev_run_todo\n           |     |- ...                        `- netdev_run_todo\n           |     `- rtnl_unlock                   |- __rtnl_unlock\n           |                                      |- netdev_wait_allrefs_any\n           |- netdev_put(dev, ...)  \u003c----------------'\n                                                Wait refcnt decrement\n                                                and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let's not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n  1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n  2. Check CAP_NET_ADMIN in dev_ioctl()\n  3. Call dev_load() in dev_ioctl()\n  4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it's better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n     __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n     netdev_hold include/linux/netdevice.h:4311 [inline]\n     dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n     dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n     sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n     sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n     vfs_ioctl fs/ioctl.c:51 [inline]\n     __do_sys_ioctl fs/ioctl.c:906 [inline]\n     __se_sys_ioctl fs/ioctl.c:892 [inline]\n     __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n     do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n     do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f","modified":"2026-04-02T12:45:21.404203Z","published":"2025-04-16T14:12:57.719Z","related":["CGA-mgr6-f54g-rf2q","SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22111.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00fe0ac64efd1f5373b3dd9f1f84b19235371e39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/338a0f3c66aef4ee13052880d02200aae8f2d8a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4888e1dcc341e9a132ef7b8516234b3c3296de56"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d767ce15045df510f55cdd2af5df0eee71f928d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f51e471cb1577d510c3096e126678e1ea20d2efd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22111.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22111"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"893b195875340cb44b54c9db99e708145f1210e8"},{"fixed":"f51e471cb1577d510c3096e126678e1ea20d2efd"},{"fixed":"338a0f3c66aef4ee13052880d02200aae8f2d8a8"},{"fixed":"d767ce15045df510f55cdd2af5df0eee71f928d0"},{"fixed":"4888e1dcc341e9a132ef7b8516234b3c3296de56"},{"fixed":"00fe0ac64efd1f5373b3dd9f1f84b19235371e39"},{"fixed":"ed3ba9b6e280e14cc3148c1b226ba453f02fa76c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22111.json"}}],"schema_version":"1.7.5"}