CVE-2025-38150

In the Linux kernel, the following vulnerability has been resolved:

afpacket: move notifier's packetdev_mc out of rcu critical section

Syzkaller reports the following issue:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 __mutexlock+0x106/0xe80 kernel/locking/mutex.c:746 teamchangerxflags+0x38/0x220 drivers/net/team/teamcore.c:1781 devchangerxflags net/core/dev.c:9145 [inline] __devsetpromiscuity+0x3f8/0x590 net/core/dev.c:9189 netifsetpromiscuity+0x50/0xe0 net/core/dev.c:9201 devsetpromiscuity+0x126/0x260 net/core/devapi.c:286 packetdevmc net/packet/afpacket.c:3698 [inline] packetdevmclistdelete net/packet/afpacket.c:3722 [inline] packetnotifier+0x292/0xa60 net/packet/afpacket.c:4247 notifiercallchain+0x1b3/0x3e0 kernel/notifier.c:85 callnetdevicenotifiersextack net/core/dev.c:2214 [inline] callnetdevicenotifiers net/core/dev.c:2228 [inline] unregisternetdevicemanynotify+0x15d8/0x2330 net/core/dev.c:11972 rtnldeletelink net/core/rtnetlink.c:3522 [inline] rtnldellink+0x488/0x710 net/core/rtnetlink.c:3564 rtnetlinkrcvmsg+0x7cf/0xb70 net/core/rtnetlink.c:6955 netlinkrcvskb+0x219/0x490 net/netlink/afnetlink.c:2534

Calling PACKET_ADD_MEMBERSHIP on an ops-locked device can trigger the NETDEV_UNREGISTER notifier, which may require disabling promiscuous and/or allmulti mode. Both of these operations require acquiring the netdev instance lock.

Move the call to packet_dev_mc outside of the RCU critical section. The mclist modifications (add, del, flush, unregister) are protected by the RTNL, not the RCU. The RCU only protects the sklist and its associated sks. The delayed operation on the mclist entry remains within the RTNL.