CVE-2025-21974

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()<br /> <br /> The bnxt_queue_mem_alloc() is called to allocate new queue memory when<br /> a queue is restarted.<br /> It internally accesses rx buffer descriptor corresponding to the index.<br /> The rx buffer descriptor is allocated and set when the interface is up<br /> and it&amp;#39;s freed when the interface is down.<br /> So, if queue is restarted if interface is down, kernel panic occurs.<br /> <br /> Splat looks like:<br /> BUG: unable to handle page fault for address: 000000000000b240<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 UID: 0 PID: 1563 Comm: ncdevmem2 Not tainted 6.14.0-rc2+ #9 844ddba6e7c459cafd0bf4db9a3198e<br /> Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021<br /> RIP: 0010:bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en]<br /> Code: 41 54 4d 89 c4 4d 69 c0 c0 05 00 00 55 48 89 f5 53 48 89 fb 4c 8d b5 40 05 00 00 48 83 ec 15<br /> RSP: 0018:ffff9dcc83fef9e8 EFLAGS: 00010202<br /> RAX: ffffffffc0457720 RBX: ffff934ed8d40000 RCX: 0000000000000000<br /> RDX: 000000000000001f RSI: ffff934ea508f800 RDI: ffff934ea508f808<br /> RBP: ffff934ea508f800 R08: 000000000000b240 R09: ffff934e84f4b000<br /> R10: ffff9dcc83fefa30 R11: ffff934e84f4b000 R12: 000000000000001f<br /> R13: ffff934ed8d40ac0 R14: ffff934ea508fd40 R15: ffff934e84f4b000<br /> FS: 00007fa73888c740(0000) GS:ffff93559f780000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000b240 CR3: 0000000145a2e000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x20/0x70<br /> ? page_fault_oops+0x15a/0x460<br /> ? exc_page_fault+0x6e/0x180<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? __pfx_bnxt_queue_mem_alloc+0x10/0x10 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]<br /> ? bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]<br /> netdev_rx_queue_restart+0xc5/0x240<br /> net_devmem_bind_dmabuf_to_queue+0xf8/0x200<br /> netdev_nl_bind_rx_doit+0x3a7/0x450<br /> genl_family_rcv_msg_doit+0xd9/0x130<br /> genl_rcv_msg+0x184/0x2b0<br /> ? __pfx_netdev_nl_bind_rx_doit+0x10/0x10<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x54/0x100<br /> genl_rcv+0x24/0x40<br /> ...