CVE-2025-68770

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix XDP_TX path<br /> <br /> For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not<br /> correct. __bnxt_poll_work() -&gt; bnxt_rx_pkt() -&gt; bnxt_rx_xdp() may be<br /> looping within NAPI and some event flags may be set in earlier<br /> iterations. In particular, if BNXT_TX_EVENT is set earlier indicating<br /> some XDP_TX packets are ready and pending, it will be cleared if it is<br /> XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we<br /> successfully call __bnxt_xmit_xdp(). But if the TX ring has no more<br /> room, the flag will not be set. This will cause the TX producer to be<br /> ahead but the driver will not hit the TX doorbell.<br /> <br /> For multi-buf XDP_TX, there is no need to clear the event flags and set<br /> BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in<br /> bnxt_rx_pkt().<br /> <br /> The visible symptom of this is that the RX ring associated with the<br /> TX XDP ring will eventually become empty and all packets will be dropped.<br /> Because this condition will cause the driver to not refill the RX ring<br /> seeing that the TX ring has forever pending XDP_TX packets.<br /> <br /> The fix is to only clear BNXT_RX_EVENT when we have successfully<br /> called __bnxt_xmit_xdp().