CVE-2025-21806

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: let net.core.dev_weight always be non-zero<br /> <br /> The following problem was encountered during stability test:<br /> <br /> (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \<br /> returned 1, exceeding its budget of 0.<br /> ------------[ cut here ]------------<br /> list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \<br /> next=ffff88905f746e40.<br /> WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \<br /> __list_add_valid_or_report+0xf3/0x130<br /> CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+<br /> RIP: 0010:__list_add_valid_or_report+0xf3/0x130<br /> Call Trace:<br /> ? __warn+0xcd/0x250<br /> ? __list_add_valid_or_report+0xf3/0x130<br /> enqueue_to_backlog+0x923/0x1070<br /> netif_rx_internal+0x92/0x2b0<br /> __netif_rx+0x15/0x170<br /> loopback_xmit+0x2ef/0x450<br /> dev_hard_start_xmit+0x103/0x490<br /> __dev_queue_xmit+0xeac/0x1950<br /> ip_finish_output2+0x6cc/0x1620<br /> ip_output+0x161/0x270<br /> ip_push_pending_frames+0x155/0x1a0<br /> raw_sendmsg+0xe13/0x1550<br /> __sys_sendto+0x3bf/0x4e0<br /> __x64_sys_sendto+0xdc/0x1b0<br /> do_syscall_64+0x5b/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The reproduction command is as follows:<br /> sysctl -w net.core.dev_weight=0<br /> ping 127.0.0.1<br /> <br /> This is because when the napi&amp;#39;s weight is set to 0, process_backlog() may<br /> return 0 and clear the NAPI_STATE_SCHED bit of napi-&gt;state, causing this<br /> napi to be re-polled in net_rx_action() until __do_softirq() times out.<br /> Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can<br /> be retriggered in enqueue_to_backlog(), causing this issue.<br /> <br /> Making the napi&amp;#39;s weight always non-zero solves this problem.<br /> <br /> Triggering this issue requires system-wide admin (setting is<br /> not namespaced).