cve/published/2025/CVE-2025-21973.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21973: eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}

 When qstats-get operation is executed, callbacks of netdev_stats_ops
 are called. The bnxt_get_queue_stats{rx | tx} collect per-queue stats
 from sw_stats in the rings.
 But {rx | tx | cp}_ring are allocated when the interface is up.
 So, these rings are not allocated when the interface is down.

 The qstats-get is allowed even if the interface is down. However,
 the bnxt_get_queue_stats{rx | tx}() accesses cp_ring and tx_ring
 without null check.
 So, it needs to avoid accessing rings if the interface is down.

 Reproducer:
  ip link set $interface down
  ./cli.py --spec netdev.yaml --dump qstats-get
 OR
  ip link set $interface down
  python ./stats.py

 Splat looks like:
  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 1680fa067 P4D 1680fa067 PUD 16be3b067 PMD 0
  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 0 UID: 0 PID: 1495 Comm: python3 Not tainted 6.14.0-rc4+ #32 5cd0f999d5a15c574ac72b3e4b907341
  Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
  RIP: 0010:bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en]
  Code: c6 87 b5 18 00 00 02 eb a2 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 01
  RSP: 0018:ffffabef43cdb7e0 EFLAGS: 00010282
  RAX: 0000000000000000 RBX: ffffffffc04c8710 RCX: 0000000000000000
  RDX: ffffabef43cdb858 RSI: 0000000000000000 RDI: ffff8d504e850000
  RBP: ffff8d506c9f9c00 R08: 0000000000000004 R09: ffff8d506bcd901c
  R10: 0000000000000015 R11: ffff8d506bcd9000 R12: 0000000000000000
  R13: ffffabef43cdb8c0 R14: ffff8d504e850000 R15: 0000000000000000
  FS:  00007f2c5462b080(0000) GS:ffff8d575f600000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000167fd0000 CR4: 00000000007506f0
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? __die+0x20/0x70
   ? page_fault_oops+0x15a/0x460
   ? sched_balance_find_src_group+0x58d/0xd10
   ? exc_page_fault+0x6e/0x180
   ? asm_exc_page_fault+0x22/0x30
   ? bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en cdd546fd48563c280cfd30e9647efa420db07bf1]
   netdev_nl_stats_by_netdev+0x2b1/0x4e0
   ? xas_load+0x9/0xb0
   ? xas_find+0x183/0x1d0
   ? xa_find+0x8b/0xe0
   netdev_nl_qstats_get_dumpit+0xbf/0x1e0
   genl_dumpit+0x31/0x90
   netlink_dump+0x1a8/0x360

 The Linux kernel CVE team has assigned CVE-2025-21973 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.12.20 with commit f059a0fd733078c3832fd0f3a3037aa5975d3d36
 	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.13.8 with commit adb830085f0fc3a09a0fc8b64fed2e7c8d244665
 	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.14 with commit f09af5fdfbd9b0fcee73aab1116904c53b199e97

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21973
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f059a0fd733078c3832fd0f3a3037aa5975d3d36
 	https://git.kernel.org/stable/c/adb830085f0fc3a09a0fc8b64fed2e7c8d244665
 	https://git.kernel.org/stable/c/f09af5fdfbd9b0fcee73aab1116904c53b199e97
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21973: eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx \| tx}

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx \| tx}

	When qstats-get operation is executed, callbacks of netdev_stats_ops
	are called. The bnxt_get_queue_stats{rx \| tx} collect per-queue stats
	from sw_stats in the rings.
	But {rx \| tx \| cp}_ring are allocated when the interface is up.
	So, these rings are not allocated when the interface is down.

	The qstats-get is allowed even if the interface is down. However,
	the bnxt_get_queue_stats{rx \| tx}() accesses cp_ring and tx_ring
	without null check.
	So, it needs to avoid accessing rings if the interface is down.

	Reproducer:
	ip link set $interface down
	./cli.py --spec netdev.yaml --dump qstats-get
	OR
	ip link set $interface down
	python ./stats.py

	Splat looks like:
	BUG: kernel NULL pointer dereference, address: 0000000000000000
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 1680fa067 P4D 1680fa067 PUD 16be3b067 PMD 0
	Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 0 UID: 0 PID: 1495 Comm: python3 Not tainted 6.14.0-rc4+ #32 5cd0f999d5a15c574ac72b3e4b907341
	Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
	RIP: 0010:bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en]
	Code: c6 87 b5 18 00 00 02 eb a2 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 01
	RSP: 0018:ffffabef43cdb7e0 EFLAGS: 00010282
	RAX: 0000000000000000 RBX: ffffffffc04c8710 RCX: 0000000000000000
	RDX: ffffabef43cdb858 RSI: 0000000000000000 RDI: ffff8d504e850000
	RBP: ffff8d506c9f9c00 R08: 0000000000000004 R09: ffff8d506bcd901c
	R10: 0000000000000015 R11: ffff8d506bcd9000 R12: 0000000000000000
	R13: ffffabef43cdb8c0 R14: ffff8d504e850000 R15: 0000000000000000
	FS: 00007f2c5462b080(0000) GS:ffff8d575f600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000000 CR3: 0000000167fd0000 CR4: 00000000007506f0
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __die+0x20/0x70
	? page_fault_oops+0x15a/0x460
	? sched_balance_find_src_group+0x58d/0xd10
	? exc_page_fault+0x6e/0x180
	? asm_exc_page_fault+0x22/0x30
	? bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en cdd546fd48563c280cfd30e9647efa420db07bf1]
	netdev_nl_stats_by_netdev+0x2b1/0x4e0
	? xas_load+0x9/0xb0
	? xas_find+0x183/0x1d0
	? xa_find+0x8b/0xe0
	netdev_nl_qstats_get_dumpit+0xbf/0x1e0
	genl_dumpit+0x31/0x90
	netlink_dump+0x1a8/0x360

	The Linux kernel CVE team has assigned CVE-2025-21973 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.12.20 with commit f059a0fd733078c3832fd0f3a3037aa5975d3d36
	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.13.8 with commit adb830085f0fc3a09a0fc8b64fed2e7c8d244665
	Issue introduced in 6.9 with commit af7b3b4adda592cb49e202f3617454d5dda4c5b5 and fixed in 6.14 with commit f09af5fdfbd9b0fcee73aab1116904c53b199e97

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21973
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f059a0fd733078c3832fd0f3a3037aa5975d3d36
	https://git.kernel.org/stable/c/adb830085f0fc3a09a0fc8b64fed2e7c8d244665
	https://git.kernel.org/stable/c/f09af5fdfbd9b0fcee73aab1116904c53b199e97