CVE-2025-38127

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix Tx scheduler error handling in XDP callback<br /> <br /> When the XDP program is loaded, the XDP callback adds new Tx queues.<br /> This means that the callback must update the Tx scheduler with the new<br /> queue number. In the event of a Tx scheduler failure, the XDP callback<br /> should also fail and roll back any changes previously made for XDP<br /> preparation.<br /> <br /> The previous implementation had a bug that not all changes made by the<br /> XDP callback were rolled back. This caused the crash with the following<br /> call trace:<br /> <br /> [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5<br /> [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI<br /> [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)<br /> [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022<br /> [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]<br /> <br /> [...]<br /> <br /> [ +0.002715] Call Trace:<br /> [ +0.002452] <br /> [ +0.002021] ? __die_body.cold+0x19/0x29<br /> [ +0.003922] ? die_addr+0x3c/0x60<br /> [ +0.003319] ? exc_general_protection+0x17c/0x400<br /> [ +0.004707] ? asm_exc_general_protection+0x26/0x30<br /> [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]<br /> [ +0.004835] ice_napi_poll+0x665/0x680 [ice]<br /> [ +0.004320] __napi_poll+0x28/0x190<br /> [ +0.003500] net_rx_action+0x198/0x360<br /> [ +0.003752] ? update_rq_clock+0x39/0x220<br /> [ +0.004013] handle_softirqs+0xf1/0x340<br /> [ +0.003840] ? sched_clock_cpu+0xf/0x1f0<br /> [ +0.003925] __irq_exit_rcu+0xc2/0xe0<br /> [ +0.003665] common_interrupt+0x85/0xa0<br /> [ +0.003839] <br /> [ +0.002098] <br /> [ +0.002106] asm_common_interrupt+0x26/0x40<br /> [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690<br /> <br /> Fix this by performing the missing unmapping of XDP queues from<br /> q_vectors and setting the XDP rings pointer back to NULL after all those<br /> queues are released.<br /> Also, add an immediate exit from the XDP callback in case of ring<br /> preparation failure.