cve/published/2025/CVE-2025-21682.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21682: eth: bnxt: always recalculate features after XDP clearing, fix null-deref

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 eth: bnxt: always recalculate features after XDP clearing, fix null-deref

 Recalculate features when XDP is detached.

 Before:
   # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
   # ip li set dev eth0 xdp off
   # ethtool -k eth0 | grep gro
   rx-gro-hw: off [requested on]

 After:
   # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
   # ip li set dev eth0 xdp off
   # ethtool -k eth0 | grep gro
   rx-gro-hw: on

 The fact that HW-GRO doesn't get re-enabled automatically is just
 a minor annoyance. The real issue is that the features will randomly
 come back during another reconfiguration which just happens to invoke
 netdev_update_features(). The driver doesn't handle reconfiguring
 two things at a time very robustly.

 Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
 __bnxt_reserve_rings()") we only reconfigure the RSS hash table
 if the "effective" number of Rx rings has changed. If HW-GRO is
 enabled "effective" number of rings is 2x what user sees.
 So if we are in the bad state, with HW-GRO re-enablement "pending"
 after XDP off, and we lower the rings by / 2 - the HW-GRO rings
 doing 2x and the ethtool -L doing / 2 may cancel each other out,
 and the:

   if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

 condition in __bnxt_reserve_rings() will be false.
 The RSS map won't get updated, and we'll crash with:

   BUG: kernel NULL pointer dereference, address: 0000000000000168
   RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0
     bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180
     __bnxt_setup_vnic_p5+0x58/0x110
     bnxt_init_nic+0xb72/0xf50
     __bnxt_open_nic+0x40d/0xab0
     bnxt_open_nic+0x2b/0x60
     ethtool_set_channels+0x18c/0x1d0

 As we try to access a freed ring.

 The issue is present since XDP support was added, really, but
 prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
 __bnxt_reserve_rings()") it wasn't causing major issues.

 The Linux kernel CVE team has assigned CVE-2025-21682 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.16 with commit 1054aee82321483dceabbb9b9e5d6512e8fe684b and fixed in 6.12.11 with commit 08831a894d18abfaabb5bbde7c2069a7fb41dd93
 	Issue introduced in 4.16 with commit 1054aee82321483dceabbb9b9e5d6512e8fe684b and fixed in 6.13 with commit f0aa6a37a3dbb40b272df5fc6db93c114688adcd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21682
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt.c
 	drivers/net/ethernet/broadcom/bnxt/bnxt.h
 	drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93
 	https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21682: eth: bnxt: always recalculate features after XDP clearing, fix null-deref

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	eth: bnxt: always recalculate features after XDP clearing, fix null-deref

	Recalculate features when XDP is detached.

	Before:
	# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
	# ip li set dev eth0 xdp off
	# ethtool -k eth0 \| grep gro
	rx-gro-hw: off [requested on]

	After:
	# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
	# ip li set dev eth0 xdp off
	# ethtool -k eth0 \| grep gro
	rx-gro-hw: on

	The fact that HW-GRO doesn't get re-enabled automatically is just
	a minor annoyance. The real issue is that the features will randomly
	come back during another reconfiguration which just happens to invoke
	netdev_update_features(). The driver doesn't handle reconfiguring
	two things at a time very robustly.

	Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
	__bnxt_reserve_rings()") we only reconfigure the RSS hash table
	if the "effective" number of Rx rings has changed. If HW-GRO is
	enabled "effective" number of rings is 2x what user sees.
	So if we are in the bad state, with HW-GRO re-enablement "pending"
	after XDP off, and we lower the rings by / 2 - the HW-GRO rings
	doing 2x and the ethtool -L doing / 2 may cancel each other out,
	and the:

	if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

	condition in __bnxt_reserve_rings() will be false.
	The RSS map won't get updated, and we'll crash with:

	BUG: kernel NULL pointer dereference, address: 0000000000000168
	RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0
	bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180
	__bnxt_setup_vnic_p5+0x58/0x110
	bnxt_init_nic+0xb72/0xf50
	__bnxt_open_nic+0x40d/0xab0
	bnxt_open_nic+0x2b/0x60
	ethtool_set_channels+0x18c/0x1d0

	As we try to access a freed ring.

	The issue is present since XDP support was added, really, but
	prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
	__bnxt_reserve_rings()") it wasn't causing major issues.

	The Linux kernel CVE team has assigned CVE-2025-21682 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.16 with commit 1054aee82321483dceabbb9b9e5d6512e8fe684b and fixed in 6.12.11 with commit 08831a894d18abfaabb5bbde7c2069a7fb41dd93
	Issue introduced in 4.16 with commit 1054aee82321483dceabbb9b9e5d6512e8fe684b and fixed in 6.13 with commit f0aa6a37a3dbb40b272df5fc6db93c114688adcd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21682
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt.c
	drivers/net/ethernet/broadcom/bnxt/bnxt.h
	drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93
	https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd