CVE-2025-68220
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error<br />
<br />
Make knav_dma_open_channel consistently return NULL on error instead<br />
of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h<br />
returns NULL when the driver is disabled, but the driver<br />
implementation does not even return NULL or ERR_PTR on failure,<br />
causing inconsistency in the users. This results in a crash in<br />
netcp_free_navigator_resources as followed (trimmed):<br />
<br />
Unhandled fault: alignment exception (0x221) at 0xfffffff2<br />
[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000<br />
Internal error: : 221 [#1] SMP ARM<br />
Modules linked in:<br />
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE<br />
Hardware name: Keystone<br />
PC is at knav_dma_close_channel+0x30/0x19c<br />
LR is at netcp_free_navigator_resources+0x2c/0x28c<br />
<br />
[... TRIM...]<br />
<br />
Call trace:<br />
knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c<br />
netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c<br />
netcp_ndo_open from __dev_open+0x114/0x29c<br />
__dev_open from __dev_change_flags+0x190/0x208<br />
__dev_change_flags from netif_change_flags+0x1c/0x58<br />
netif_change_flags from dev_change_flags+0x38/0xa0<br />
dev_change_flags from ip_auto_config+0x2c4/0x11f0<br />
ip_auto_config from do_one_initcall+0x58/0x200<br />
do_one_initcall from kernel_init_freeable+0x1cc/0x238<br />
kernel_init_freeable from kernel_init+0x1c/0x12c<br />
kernel_init from ret_from_fork+0x14/0x38<br />
[... TRIM...]<br />
<br />
Standardize the error handling by making the function return NULL on<br />
all error conditions. The API is used in just the netcp_core.c so the<br />
impact is limited.<br />
<br />
Note, this change, in effect reverts commit 5b6cb43b4d62 ("net:<br />
ethernet: ti: netcp_core: return error while dma channel open issue"),<br />
but provides a less error prone implementation.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5
- https://git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259
- https://git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353b
- https://git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5
- https://git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373
- https://git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3
- https://git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9
- https://git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2b