CVE-2025-21682
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
31/01/2025
Last modified:
04/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
eth: bnxt: always recalculate features after XDP clearing, fix null-deref<br />
<br />
Recalculate features when XDP is detached.<br />
<br />
Before:<br />
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp<br />
# ip li set dev eth0 xdp off<br />
# ethtool -k eth0 | grep gro<br />
rx-gro-hw: off [requested on]<br />
<br />
After:<br />
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp<br />
# ip li set dev eth0 xdp off<br />
# ethtool -k eth0 | grep gro<br />
rx-gro-hw: on<br />
<br />
The fact that HW-GRO doesn&#39;t get re-enabled automatically is just<br />
a minor annoyance. The real issue is that the features will randomly<br />
come back during another reconfiguration which just happens to invoke<br />
netdev_update_features(). The driver doesn&#39;t handle reconfiguring<br />
two things at a time very robustly.<br />
<br />
Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in<br />
__bnxt_reserve_rings()") we only reconfigure the RSS hash table<br />
if the "effective" number of Rx rings has changed. If HW-GRO is<br />
enabled "effective" number of rings is 2x what user sees.<br />
So if we are in the bad state, with HW-GRO re-enablement "pending"<br />
after XDP off, and we lower the rings by / 2 - the HW-GRO rings<br />
doing 2x and the ethtool -L doing / 2 may cancel each other out,<br />
and the:<br />
<br />
if (old_rx_rings != bp->hw_resc.resv_rx_rings &&<br />
<br />
condition in __bnxt_reserve_rings() will be false.<br />
The RSS map won&#39;t get updated, and we&#39;ll crash with:<br />
<br />
BUG: kernel NULL pointer dereference, address: 0000000000000168<br />
RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0<br />
bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180<br />
__bnxt_setup_vnic_p5+0x58/0x110<br />
bnxt_init_nic+0xb72/0xf50<br />
__bnxt_open_nic+0x40d/0xab0<br />
bnxt_open_nic+0x2b/0x60<br />
ethtool_set_channels+0x18c/0x1d0<br />
<br />
As we try to access a freed ring.<br />
<br />
The issue is present since XDP support was added, really, but<br />
prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in<br />
__bnxt_reserve_rings()") it wasn&#39;t causing major issues.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.16 (including) | 6.12.11 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page