cve/published/2025/CVE-2025-21961.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 eth: bnxt: fix truesize for mb-xdp-pass case

 When mb-xdp is set and return is XDP_PASS, packet is converted from
 xdp_buff to sk_buff with xdp_update_skb_shared_info() in
 bnxt_xdp_build_skb().
 bnxt_xdp_build_skb() passes incorrect truesize argument to
 xdp_update_skb_shared_info().
 The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but
 the skb_shared_info was wiped by napi_build_skb() before.
 So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it
 instead of getting skb_shared_info from xdp_get_shared_info_from_buff().

 Splat looks like:
  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590
  Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms
  CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3
  RIP: 0010:skb_try_coalesce+0x504/0x590
  Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99
  RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287
  RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0
  RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003
  RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900
  R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740
  R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002
  FS:  0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0
  PKRU: 55555554
  Call Trace:
   <IRQ>
   ? __warn+0x84/0x130
   ? skb_try_coalesce+0x504/0x590
   ? report_bug+0x18a/0x1a0
   ? handle_bug+0x53/0x90
   ? exc_invalid_op+0x14/0x70
   ? asm_exc_invalid_op+0x16/0x20
   ? skb_try_coalesce+0x504/0x590
   inet_frag_reasm_finish+0x11f/0x2e0
   ip_defrag+0x37a/0x900
   ip_local_deliver+0x51/0x120
   ip_sublist_rcv_finish+0x64/0x70
   ip_sublist_rcv+0x179/0x210
   ip_list_rcv+0xf9/0x130

 How to reproduce:
 <Node A>
 ip link set $interface1 xdp obj xdp_pass.o
 ip link set $interface1 mtu 9000 up
 ip a a 10.0.0.1/24 dev $interface1
 <Node B>
 ip link set $interfac2 mtu 9000 up
 ip a a 10.0.0.2/24 dev $interface2
 ping 10.0.0.1 -s 65000

 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be
 able to reproduce this issue.

 The Linux kernel CVE team has assigned CVE-2025-21961 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.12.20 with commit 19107e71be330dbccb9f8f9f4cf0a9abeadad802
 	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.13.8 with commit b4679807c6083ade4d47f03f80da891afcb6ef62
 	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.14 with commit 9f7b2aa5034e24d3c49db73d5f760c0435fe31c2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21961
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt.c
 	drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/19107e71be330dbccb9f8f9f4cf0a9abeadad802
 	https://git.kernel.org/stable/c/b4679807c6083ade4d47f03f80da891afcb6ef62
 	https://git.kernel.org/stable/c/9f7b2aa5034e24d3c49db73d5f760c0435fe31c2
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	eth: bnxt: fix truesize for mb-xdp-pass case

	When mb-xdp is set and return is XDP_PASS, packet is converted from
	xdp_buff to sk_buff with xdp_update_skb_shared_info() in
	bnxt_xdp_build_skb().
	bnxt_xdp_build_skb() passes incorrect truesize argument to
	xdp_update_skb_shared_info().
	The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but
	the skb_shared_info was wiped by napi_build_skb() before.
	So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it
	instead of getting skb_shared_info from xdp_get_shared_info_from_buff().

	Splat looks like:
	------------[ cut here ]------------
	WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590
	Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms
	CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3
	RIP: 0010:skb_try_coalesce+0x504/0x590
	Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99
	RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287
	RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0
	RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003
	RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900
	R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740
	R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002
	FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0
	PKRU: 55555554
	Call Trace:
	<IRQ>
	? __warn+0x84/0x130
	? skb_try_coalesce+0x504/0x590
	? report_bug+0x18a/0x1a0
	? handle_bug+0x53/0x90
	? exc_invalid_op+0x14/0x70
	? asm_exc_invalid_op+0x16/0x20
	? skb_try_coalesce+0x504/0x590
	inet_frag_reasm_finish+0x11f/0x2e0
	ip_defrag+0x37a/0x900
	ip_local_deliver+0x51/0x120
	ip_sublist_rcv_finish+0x64/0x70
	ip_sublist_rcv+0x179/0x210
	ip_list_rcv+0xf9/0x130

	How to reproduce:
	<Node A>
	ip link set $interface1 xdp obj xdp_pass.o
	ip link set $interface1 mtu 9000 up
	ip a a 10.0.0.1/24 dev $interface1
	<Node B>
	ip link set $interfac2 mtu 9000 up
	ip a a 10.0.0.2/24 dev $interface2
	ping 10.0.0.1 -s 65000

	Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be
	able to reproduce this issue.

	The Linux kernel CVE team has assigned CVE-2025-21961 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.12.20 with commit 19107e71be330dbccb9f8f9f4cf0a9abeadad802
	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.13.8 with commit b4679807c6083ade4d47f03f80da891afcb6ef62
	Issue introduced in 5.19 with commit 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 and fixed in 6.14 with commit 9f7b2aa5034e24d3c49db73d5f760c0435fe31c2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21961
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt.c
	drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/19107e71be330dbccb9f8f9f4cf0a9abeadad802
	https://git.kernel.org/stable/c/b4679807c6083ade4d47f03f80da891afcb6ef62
	https://git.kernel.org/stable/c/9f7b2aa5034e24d3c49db73d5f760c0435fe31c2