cve/published/2025/CVE-2025-37833.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads

 Fix niu_try_msix() to not cause a fatal trap on sparc systems.

 Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to
 work around a bug in the hardware or firmware.

 For each vector entry in the msix table, niu chips will cause a fatal
 trap if any registers in that entry are read before that entries'
 ENTRY_DATA register is written to. Testing indicates writes to other
 registers are not sufficient to prevent the fatal trap, however the value
 does not appear to matter. This only needs to happen once after power up,
 so simply rebooting into a kernel lacking this fix will NOT cause the
 trap.

 NON-RESUMABLE ERROR: Reporting on cpu 64
 NON-RESUMABLE ERROR: TPC [0x00000000005f6900] <msix_prepare_msi_desc+0x90/0xa0>
 NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff
 NON-RESUMABLE ERROR:      0000000800000000:0000000000000000:0000000000000000:0000000000000000]
 NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff]
 NON-RESUMABLE ERROR: type [precise nonresumable]
 NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv >
 NON-RESUMABLE ERROR: raddr [0xffffffffffffffff]
 NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c]
 NON-RESUMABLE ERROR: size [0x8]
 NON-RESUMABLE ERROR: asi [0x00]
 CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63
 Workqueue: events work_for_cpu_fn
 TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000    Not tainted
 TPC: <msix_prepare_msi_desc+0x90/0xa0>
 g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100
 g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000
 o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620
 o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128
 RPC: <__pci_enable_msix_range+0x3cc/0x460>
 l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020
 l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734
 i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d
 i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0
 I7: <niu_try_msix.constprop.0+0xc0/0x130 [niu]>
 Call Trace:
 [<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu]
 [<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu]
 [<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu]
 [<00000000005ef3e4>] local_pci_probe+0x28/0x74
 [<0000000000469240>] work_for_cpu_fn+0x8/0x1c
 [<000000000046b008>] process_scheduled_works+0x144/0x210
 [<000000000046b518>] worker_thread+0x13c/0x1c0
 [<00000000004710e0>] kthread+0xb8/0xc8
 [<00000000004060c8>] ret_from_fork+0x1c/0x2c
 [<0000000000000000>] 0x0
 Kernel panic - not syncing: Non-resumable error.

 The Linux kernel CVE team has assigned CVE-2025-37833 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.12.26 with commit c187aaa9e79b4b6d86ac7ba941e579ad33df5538
 	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.14.5 with commit 64903e4849a71cf7f7c7e5d45225ccefc1280929
 	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.15 with commit fbb429ddff5c8e479edcc7dde5a542c9295944e6
 	Issue introduced in 4.4.282 with commit e6454fd429b0ba6513ac1de27a0bd6ccac021a40
 	Issue introduced in 4.9.281 with commit 3590d16b47ac561a4f2504befe43def10ed1814c
 	Issue introduced in 4.14.245 with commit e1d5e8a561baaafed6e35d72a6ad53d248580d6c
 	Issue introduced in 4.19.205 with commit 3b570884c868c12e3184627ce4b4a167e9d6f018
 	Issue introduced in 5.4.142 with commit 1866c8f6d43c3c6ffa2bfe086b65392b3a3fafb1
 	Issue introduced in 5.10.60 with commit aa8092c1d1f142f797995d0448afb73a5148f4ae
 	Issue introduced in 5.13.12 with commit 6c971252f09040af40d20851cf4e14018e6710d9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37833
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/sun/niu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c187aaa9e79b4b6d86ac7ba941e579ad33df5538
 	https://git.kernel.org/stable/c/64903e4849a71cf7f7c7e5d45225ccefc1280929
 	https://git.kernel.org/stable/c/fbb429ddff5c8e479edcc7dde5a542c9295944e6
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads

	Fix niu_try_msix() to not cause a fatal trap on sparc systems.

	Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to
	work around a bug in the hardware or firmware.

	For each vector entry in the msix table, niu chips will cause a fatal
	trap if any registers in that entry are read before that entries'
	ENTRY_DATA register is written to. Testing indicates writes to other
	registers are not sufficient to prevent the fatal trap, however the value
	does not appear to matter. This only needs to happen once after power up,
	so simply rebooting into a kernel lacking this fix will NOT cause the
	trap.

	NON-RESUMABLE ERROR: Reporting on cpu 64
	NON-RESUMABLE ERROR: TPC [0x00000000005f6900] <msix_prepare_msi_desc+0x90/0xa0>
	NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff
	NON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000]
	NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff]
	NON-RESUMABLE ERROR: type [precise nonresumable]
	NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv >
	NON-RESUMABLE ERROR: raddr [0xffffffffffffffff]
	NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c]
	NON-RESUMABLE ERROR: size [0x8]
	NON-RESUMABLE ERROR: asi [0x00]
	CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63
	Workqueue: events work_for_cpu_fn
	TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted
	TPC: <msix_prepare_msi_desc+0x90/0xa0>
	g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100
	g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000
	o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620
	o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128
	RPC: <__pci_enable_msix_range+0x3cc/0x460>
	l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020
	l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734
	i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d
	i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0
	I7: <niu_try_msix.constprop.0+0xc0/0x130 [niu]>
	Call Trace:
	[<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu]
	[<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu]
	[<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu]
	[<00000000005ef3e4>] local_pci_probe+0x28/0x74
	[<0000000000469240>] work_for_cpu_fn+0x8/0x1c
	[<000000000046b008>] process_scheduled_works+0x144/0x210
	[<000000000046b518>] worker_thread+0x13c/0x1c0
	[<00000000004710e0>] kthread+0xb8/0xc8
	[<00000000004060c8>] ret_from_fork+0x1c/0x2c
	[<0000000000000000>] 0x0
	Kernel panic - not syncing: Non-resumable error.

	The Linux kernel CVE team has assigned CVE-2025-37833 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.12.26 with commit c187aaa9e79b4b6d86ac7ba941e579ad33df5538
	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.14.5 with commit 64903e4849a71cf7f7c7e5d45225ccefc1280929
	Issue introduced in 5.14 with commit 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f and fixed in 6.15 with commit fbb429ddff5c8e479edcc7dde5a542c9295944e6
	Issue introduced in 4.4.282 with commit e6454fd429b0ba6513ac1de27a0bd6ccac021a40
	Issue introduced in 4.9.281 with commit 3590d16b47ac561a4f2504befe43def10ed1814c
	Issue introduced in 4.14.245 with commit e1d5e8a561baaafed6e35d72a6ad53d248580d6c
	Issue introduced in 4.19.205 with commit 3b570884c868c12e3184627ce4b4a167e9d6f018
	Issue introduced in 5.4.142 with commit 1866c8f6d43c3c6ffa2bfe086b65392b3a3fafb1
	Issue introduced in 5.10.60 with commit aa8092c1d1f142f797995d0448afb73a5148f4ae
	Issue introduced in 5.13.12 with commit 6c971252f09040af40d20851cf4e14018e6710d9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37833
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/sun/niu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c187aaa9e79b4b6d86ac7ba941e579ad33df5538
	https://git.kernel.org/stable/c/64903e4849a71cf7f7c7e5d45225ccefc1280929
	https://git.kernel.org/stable/c/fbb429ddff5c8e479edcc7dde5a542c9295944e6