CVE-2025-21799

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()<br /> <br /> When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns<br /> negative error value on error. So not NULL check is not sufficient<br /> to deteremine if IRQ is valid. Check that IRQ is greater then zero<br /> to ensure it is valid.<br /> <br /> There is no issue at probe time but at runtime user can invoke<br /> .set_channels which results in the following call chain.<br /> am65_cpsw_set_channels()<br /> am65_cpsw_nuss_update_tx_rx_chns()<br /> am65_cpsw_nuss_remove_tx_chns()<br /> am65_cpsw_nuss_init_tx_chns()<br /> <br /> At this point if am65_cpsw_nuss_init_tx_chns() fails due to<br /> k3_udma_glue_tx_get_irq() then tx_chn-&gt;irq will be set to a<br /> negative value.<br /> <br /> Then, at subsequent .set_channels with higher channel count we<br /> will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()<br /> leading to a kernel warning.<br /> <br /> The issue is present in the original commit that introduced this driver,<br /> although there, am65_cpsw_nuss_update_tx_rx_chns() existed as<br /> am65_cpsw_nuss_update_tx_chns().