CVE-2025-21682

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
31/01/2025
Last modified:
04/02/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eth: bnxt: always recalculate features after XDP clearing, fix null-deref<br /> <br /> Recalculate features when XDP is detached.<br /> <br /> Before:<br /> # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp<br /> # ip li set dev eth0 xdp off<br /> # ethtool -k eth0 | grep gro<br /> rx-gro-hw: off [requested on]<br /> <br /> After:<br /> # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp<br /> # ip li set dev eth0 xdp off<br /> # ethtool -k eth0 | grep gro<br /> rx-gro-hw: on<br /> <br /> The fact that HW-GRO doesn&amp;#39;t get re-enabled automatically is just<br /> a minor annoyance. The real issue is that the features will randomly<br /> come back during another reconfiguration which just happens to invoke<br /> netdev_update_features(). The driver doesn&amp;#39;t handle reconfiguring<br /> two things at a time very robustly.<br /> <br /> Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in<br /> __bnxt_reserve_rings()") we only reconfigure the RSS hash table<br /> if the "effective" number of Rx rings has changed. If HW-GRO is<br /> enabled "effective" number of rings is 2x what user sees.<br /> So if we are in the bad state, with HW-GRO re-enablement "pending"<br /> after XDP off, and we lower the rings by / 2 - the HW-GRO rings<br /> doing 2x and the ethtool -L doing / 2 may cancel each other out,<br /> and the:<br /> <br /> if (old_rx_rings != bp-&gt;hw_resc.resv_rx_rings &amp;&amp;<br /> <br /> condition in __bnxt_reserve_rings() will be false.<br /> The RSS map won&amp;#39;t get updated, and we&amp;#39;ll crash with:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000168<br /> RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0<br /> bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180<br /> __bnxt_setup_vnic_p5+0x58/0x110<br /> bnxt_init_nic+0xb72/0xf50<br /> __bnxt_open_nic+0x40d/0xab0<br /> bnxt_open_nic+0x2b/0x60<br /> ethtool_set_channels+0x18c/0x1d0<br /> <br /> As we try to access a freed ring.<br /> <br /> The issue is present since XDP support was added, really, but<br /> prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in<br /> __bnxt_reserve_rings()") it wasn&amp;#39;t causing major issues.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.16 (including) 6.12.11 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*