net: avoid race between device unregistration and ethnl ops

Summary

CVE	CVE-2025-21701
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-02-13 15:15:20 UTC
Updated	2026-05-12 13:16:32 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.

Risk And Classification

Primary CVSS: v3.1 4.7 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-362 | CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	4.7	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H`
3.1	ADP	DECLARED	7.4	HIGH	`CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	7.4	HIGH	`CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected cfd719f04267108f5f5bf802b9d7de69e99a99f9 26bc6076798aa4dc83a07d0a386f9e57c94e8517 git	Not specified
CNA	Linux	Linux	affected dde91ccfa25fd58f64c397d91b81a4b393100ffa b1cb37a31a482df3dd35a6ac166282dac47664f4 git	Not specified
CNA	Linux	Linux	affected dde91ccfa25fd58f64c397d91b81a4b393100ffa 2f29127e94ae9fdc7497331003d6860e9551cdf3 git	Not specified
CNA	Linux	Linux	affected dde91ccfa25fd58f64c397d91b81a4b393100ffa b382ab9b885cbb665e0e70a727f101c981b4edf3 git	Not specified
CNA	Linux	Linux	affected dde91ccfa25fd58f64c397d91b81a4b393100ffa 4dc880245f9b529fa8f476b5553c799d2848b47b git	Not specified
CNA	Linux	Linux	affected dde91ccfa25fd58f64c397d91b81a4b393100ffa 12e070eb6964b341b41677fd260af5a305316a1f git	Not specified
CNA	Linux	Linux	affected 7c26da3be1e9843a15b5318f90db8a564479d2ac git	Not specified
CNA	Linux	Linux	affected 5.16	Not specified
CNA	Linux	Linux	unaffected 5.16 semver	Not specified
CNA	Linux	Linux	unaffected 5.15.179 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.129 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.76 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.13 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.13.2 6.13.* semver	Not specified
CNA	Linux	Linux	unaffected 6.14 * original_commit_for_fix	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b1cb37a31a482df3dd35a6ac166282dac47664f4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-082556.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/26bc6076798aa4dc83a07d0a386f9e57c94e8517	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/03/msg00028.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.