cve/published/2025/CVE-2025-21676.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21676: net: fec: handle page_pool_dev_alloc_pages error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: fec: handle page_pool_dev_alloc_pages error

 The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did
 not handle the case when it returned NULL. There was a WARN_ON(!new_page)
 but it would still proceed to use the NULL pointer and then crash.

 This case does seem somewhat rare but when the system is under memory
 pressure it can happen. One case where I can duplicate this with some
 frequency is when writing over a smbd share to a SATA HDD attached to an
 imx6q.

 Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve
 the problem for my test case. But it still seems wrong that the fec driver
 ignores the memory allocation error and can crash.

 This commit handles the allocation error by dropping the current packet.

 The Linux kernel CVE team has assigned CVE-2025-21676 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.6.74 with commit 8a0097db0544b658c159ac787319737712063a23
 	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.12.11 with commit 1425cb829556398f594658512d49292f988a2ab0
 	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.13 with commit 001ba0902046cb6c352494df610718c0763e77a5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21676
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/freescale/fec_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8a0097db0544b658c159ac787319737712063a23
 	https://git.kernel.org/stable/c/1425cb829556398f594658512d49292f988a2ab0
 	https://git.kernel.org/stable/c/001ba0902046cb6c352494df610718c0763e77a5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21676: net: fec: handle page_pool_dev_alloc_pages error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: fec: handle page_pool_dev_alloc_pages error

	The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did
	not handle the case when it returned NULL. There was a WARN_ON(!new_page)
	but it would still proceed to use the NULL pointer and then crash.

	This case does seem somewhat rare but when the system is under memory
	pressure it can happen. One case where I can duplicate this with some
	frequency is when writing over a smbd share to a SATA HDD attached to an
	imx6q.

	Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve
	the problem for my test case. But it still seems wrong that the fec driver
	ignores the memory allocation error and can crash.

	This commit handles the allocation error by dropping the current packet.

	The Linux kernel CVE team has assigned CVE-2025-21676 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.6.74 with commit 8a0097db0544b658c159ac787319737712063a23
	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.12.11 with commit 1425cb829556398f594658512d49292f988a2ab0
	Issue introduced in 6.1 with commit 95698ff6177b5f1f13f251da60e7348413046ae4 and fixed in 6.13 with commit 001ba0902046cb6c352494df610718c0763e77a5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21676
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/freescale/fec_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8a0097db0544b658c159ac787319737712063a23
	https://git.kernel.org/stable/c/1425cb829556398f594658512d49292f988a2ab0
	https://git.kernel.org/stable/c/001ba0902046cb6c352494df610718c0763e77a5