CVE-2025-21986

In the Linux kernel, the following vulnerability has been resolved:

net: switchdev: Convert blocking notification chain to a raw one

A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the chain and informing notifiers about an event.

In case of the blocking switchdev notification chain, recursive notifications are possible which leads to the semaphore being acquired twice for reading and to lockdep warnings being generated [1].

Specifically, this can happen when the bridge driver processes a SWITCHDEVBRPORTUNOFFLOADED event which causes it to emit notifications about deferred events when calling switchdevdeferredprocess().

Fix this by converting the notification chain to a raw notification chain in a similar fashion to the netdev notification chain. Protect the chain using the RTNL mutex by acquiring it when modifying the chain. Events are always informed under the RTNL mutex, but add an assertion in callswitchdevblocking_notifiers() to make sure this is not violated in the future.

Maintain the "blocking" prefix as events are always emitted from process context and listeners are allowed to block.

6.14.0-rc4-custom-g079270089484 #1 Not tainted

ip/52731 is trying to acquire lock: ffffffff850918d8 ((switchdevblockingnotifchain).rwsem){++++}-{4:4}, at: blockingnotifiercallchain+0x58/0xa0

but task is already holding lock: ffffffff850918d8 ((switchdevblockingnotifchain).rwsem){++++}-{4:4}, at: blockingnotifiercallchain+0x58/0xa0

other info that might help us debug this: Possible unsafe locking scenario:

CPU0

lock((switchdevblockingnotifchain).rwsem); lock((switchdevblockingnotifchain).rwsem);

*** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnlmutex){+.+.}-{4:4}, at: rtnlnewlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnlmutex){+.+.}-{4:4}, at: rtnlnewlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdevblockingnotifchain).rwsem){++++}-{4:4}, at: blockingnotifiercallchain+0x58/0xa0

stack backtrace: ... ? __pfxdownread+0x10/0x10 ? __pfxmarklock+0x10/0x10 ? __pfxswitchdevportattrset_deferred+0x10/0x10 blockingnotifiercallchain+0x58/0xa0 switchdevportattrnotify.constprop.0+0xb3/0x1b0 ? __pfxswitchdevportattrnotify.constprop.0+0x10/0x10 ? markheldlocks+0x94/0xe0 ? switchdevdeferredprocess+0x11a/0x340 switchdevportattrsetdeferred+0x27/0xd0 switchdevdeferredprocess+0x164/0x340 brswitchdevportunoffload+0xc8/0x100 [bridge] brswitchdevblockingevent+0x29f/0x580 [bridge] notifiercallchain+0xa2/0x440 blockingnotifiercallchain+0x6e/0xa0 switchdevbridgeportunoffload+0xde/0x1a0 ...