From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C758935E4FC for ; Thu, 11 Sep 2025 16:58:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757609889; cv=none; b=ANJyRNy+3CF9MO2mbRzd7CdgK9fEJP/SRM/e+wFxBhWtZ7LzcTrwi89yZ7ddhQ0b9yxBflNEqdQnzHvQLi82yefbNrvkYtxa0CMSQMsKiiNhAW12tcMyntjlcHOVCRCi1eMnj8cD9qnjuFGbs8eJ7HWvXY7PD5KlQX1HrPBy9eg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757609889; c=relaxed/simple; bh=ScZwrVVtym5BObBFwXuqFaFEeIb/x9bJE7pnf3Gpkyg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=GN3Dw7l+WiD0d6Msrhj3N+9mT/LAl+8nk4/ibNZXRfD8CF5Z7m5rhYFQYHd5fShwY+gX0ltkDH1iFKx85EQgWHm7jGCrkzRXxyKFF6qU++oUQ8fKD1Ib8yYKgrJQSTI8Va9UfQMtu7EX6oaSmZ3j5Gtt6aF4FncP1+haqxbomnk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=VDRQ6yVw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="VDRQ6yVw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DAB8C4CEF9; Thu, 11 Sep 2025 16:58:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1757609889; bh=ScZwrVVtym5BObBFwXuqFaFEeIb/x9bJE7pnf3Gpkyg=; h=From:To:Cc:Subject:Date:Reply-to:From; b=VDRQ6yVwisvl5tK1LkzewQBZ5QOxqybBvc6PeRNA4V2d3JlVVOxEDKjLwMymQvW1S usC0hrweWo2/GYXncmg2s61NVBE/IthM8zQofuEtNKqNqX4RLCPCFcgzj9L3afNx8l LTq1bs5GBvVuo/XxuUxTp90nSQmj09qkCJyLygcM= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-39773: net: bridge: fix soft lockup in br_multicast_query_expired() Date: Thu, 11 Sep 2025 18:56:52 +0200 Message-ID: <2025091146-CVE-2025-39773-e511@gregkh> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4096; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=snDpCFv9zyuUg6Qj3beEgbOLRlq4LomLT+Rr8AH3kcI=; b=owGbwMvMwCRo6H6F97bub03G02pJDBmH/vu1Gp372XvXLHwvg/v5/jfF0fKrz0i09DJGOh/XX 5fYfze4I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYSJ8ywYJ5pbLfiPPUdFRsV JooF93J/2yabwrCg2fXwiQ939TKOz8s4/P7VHR/fa/djAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue. The Linux kernel CVE team has assigned CVE-2025-39773 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 5.15.190 with commit 34171b9e53bd1dc264f5556579f2b04f04435c73 Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 6.1.149 with commit 43e281fde5e76a866a4d10780c35023f16c0e432 Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 6.6.103 with commit 96476b043efb86a94f2badd260f7f99c97bd5893 Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 6.12.44 with commit bdb19cd0de739870bb3494c815138b9dc30875c4 Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 6.16.4 with commit 5bf5fce8a0c2a70d063af778fdb5b27238174cdd Issue introduced in 2.6.34 with commit d902eee43f1951b358d7347d9165c6af21cf7b1b and fixed in 6.17-rc3 with commit d1547bf460baec718b3398365f8de33d25c5f36f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39773 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/bridge/br_multicast.c net/bridge/br_private.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/34171b9e53bd1dc264f5556579f2b04f04435c73 https://git.kernel.org/stable/c/43e281fde5e76a866a4d10780c35023f16c0e432 https://git.kernel.org/stable/c/96476b043efb86a94f2badd260f7f99c97bd5893 https://git.kernel.org/stable/c/bdb19cd0de739870bb3494c815138b9dc30875c4 https://git.kernel.org/stable/c/5bf5fce8a0c2a70d063af778fdb5b27238174cdd https://git.kernel.org/stable/c/d1547bf460baec718b3398365f8de33d25c5f36f