CVE-2025-38720 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

net: hibmcge: fix rtnl deadlock issue

Currently, the hibmcge netdev acquires the rtnl_lock in pci_error_handlers.reset_prepare() and releases it in pci_error_handlers.reset_done().

However, in the PCI framework: pci_reset_bus - __pci_reset_slot - pci_slot_save_and_disable_locked - pci_dev_save_and_disable - err_handler->reset_prepare(dev);

In pci_slot_save_and_disable_locked(): list_for_each_entry(dev, &slot->bus->devices, bus_list) {
if (!dev->slot || dev->slot!= slot) continue; pci_dev_save_and_disable(dev); if (dev->subordinate) pci_bus_save_and_disable_locked(dev->subordinate); }

This will iterate through all devices under the current bus and execute err_handler->reset_prepare(), causing two devices of the hibmcge driver to sequentially request the rtnl_lock, leading to a deadlock.

Since the driver now executes netif_device_detach() before the reset process, it will not concurrently with other netdev APIs, so there is no need to hold the rtnl_lock now.

Therefore, this patch removes the rtnl_lock during the reset process and adjusts the position of HBG_NIC_STATE_RESETTING to ensure that multiple resets are not executed concurrently.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability described in CVE-2025-38720 represents a critical deadlock condition within the Linux kernel's networking subsystem, specifically affecting the hibmcge network driver implementation. This issue manifests as a recursive locking scenario that can completely halt system responsiveness during PCI error recovery operations. The problem stems from improper synchronization mechanisms within the driver's error handling framework, creating a scenario where the Real-Time Network Lock (rtnl_lock) becomes a point of contention that leads to system-wide deadlock conditions. The vulnerability directly impacts the kernel's ability to maintain network connectivity and system stability during hardware error recovery processes.

The technical flaw occurs within the PCI error handling framework where the hibmcge driver incorrectly manages the rtnl_lock during device reset operations. Specifically, the driver acquires the rtnl_lock in the pci_error_handlers.reset_prepare() callback and releases it in pci_error_handlers.reset_done() callback. However, the PCI subsystem's reset mechanism executes a nested iteration through all devices under a specific bus slot, calling reset_prepare() on each device. When multiple hibmcge network devices exist on the same PCI bus, this iteration causes sequential acquisition of the rtnl_lock, creating a circular dependency where each device waits for the other to release the lock. This represents a classic deadlock scenario classified under CWE-362, which deals with concurrent access issues in multithreaded applications and kernel contexts.

The operational impact of this vulnerability extends beyond simple system unresponsiveness to encompass complete network service disruption and potential system crashes during hardware error recovery. When a PCI bus error occurs, the kernel attempts to reset all devices on that bus, but the hibmcge driver's improper lock management causes the reset process to hang indefinitely. This can result in network connectivity loss for all devices on the affected bus, system timeouts during critical error recovery sequences, and potential data loss for applications relying on network services. The vulnerability affects systems running Linux kernels that include the hibmcge network driver implementation and poses significant risk to server environments where network reliability and system uptime are critical requirements.

The mitigation strategy implemented in this patch addresses the root cause by removing the unnecessary rtnl_lock acquisition during the PCI reset process. The solution involves executing netif_device_detach() before the reset operation begins, which eliminates the concurrent access requirements that previously necessitated lock protection. Additionally, the patch repositions the HBG_NIC_STATE_RESETTING flag to prevent multiple concurrent reset operations, implementing proper state management that prevents race conditions. This approach aligns with ATT&CK technique T1490, which addresses system network denial by removing the lock contention that leads to system-wide deadlocks. The fix ensures that device reset operations can proceed without blocking other network operations, thereby maintaining system stability and network availability during hardware error recovery scenarios. The solution demonstrates proper kernel locking practices and follows established patterns for managing concurrent access in kernel subsystems, preventing similar issues in related network driver implementations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00105

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!