CVE-2025-22111

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.<br /> <br /> SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to<br /> br_ioctl_call(), which causes unnecessary RTNL dance and the splat<br /> below [0] under RTNL pressure.<br /> <br /> Let&amp;#39;s say Thread A is trying to detach a device from a bridge and<br /> Thread B is trying to remove the bridge.<br /> <br /> In dev_ioctl(), Thread A bumps the bridge device&amp;#39;s refcnt by<br /> netdev_hold() and releases RTNL because the following br_ioctl_call()<br /> also re-acquires RTNL.<br /> <br /> In the race window, Thread B could acquire RTNL and try to remove<br /> the bridge device. Then, rtnl_unlock() by Thread B will release RTNL<br /> and wait for netdev_put() by Thread A.<br /> <br /> Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),<br /> which may take long under RTNL pressure, resulting in the splat by<br /> Thread B.<br /> <br /> Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)<br /> ---------------------- ----------------------<br /> sock_ioctl sock_ioctl<br /> `- sock_do_ioctl `- br_ioctl_call<br /> `- dev_ioctl `- br_ioctl_stub<br /> |- rtnl_lock |<br /> |- dev_ifsioc &amp;#39;<br /> &amp;#39; |- dev = __dev_get_by_name(...)<br /> |- netdev_hold(dev, ...) .<br /> / |- rtnl_unlock ------. |<br /> | |- br_ioctl_call `---&gt; |- rtnl_lock<br /> Race | | `- br_ioctl_stub |- br_del_bridge<br /> Window | | | |- dev = __dev_get_by_name(...)<br /> | | | May take long | `- br_dev_delete(dev, ...)<br /> | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)<br /> | | | | `- rtnl_unlock<br /> \ | |- rtnl_lock