2414490 – (CVE-2025-40140) CVE-2025-40140 kernel: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

Bug 2414490 (CVE-2025-40140) - CVE-2025-40140 kernel: net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

Summary: CVE-2025-40140 kernel: net: usb: Remove disruptive netif_wake_queue in rtl815...

Keywords:
Status:	NEW
Alias:	CVE-2025-40140
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-12 11:03 UTC by OSIDB Bzimport
Modified:	2025-11-13 15:13 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-12 11:03:12 UTC

In the Linux kernel, the following vulnerability has been resolved:

net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the warning:

rtl8150_start_xmit() {
	netif_stop_queue();
	usb_submit_urb(dev->tx_urb);
}

rtl8150_set_multicast() {
	netif_stop_queue();
	netif_wake_queue();		<-- wakes up TX queue before URB is done
}

rtl8150_start_xmit() {
	netif_stop_queue();
	usb_submit_urb(dev->tx_urb);	<-- double submission
}

rtl8150_set_multicast being the ndo_set_rx_mode callback should not be
calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.

The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.

Comment 1 Alexander B 2025-11-13 15:09:42 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111255-CVE-2025-40140-ae1a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.