CVE-2025-39855

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix NULL access of tx-&gt;in_use in ice_ptp_ts_irq<br /> <br /> The E810 device has support for a "low latency" firmware interface to<br /> access and read the Tx timestamps. This interface does not use the standard<br /> Tx timestamp logic, due to the latency overhead of proxying sideband<br /> command requests over the firmware AdminQ.<br /> <br /> The logic still makes use of the Tx timestamp tracking structure,<br /> ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx<br /> timestamps complete.<br /> <br /> Unfortunately, the ice_ptp_ts_irq() function does not check if the tracker<br /> is initialized before its first access. This results in NULL dereference or<br /> use-after-free bugs similar to the following:<br /> <br /> [245977.278756] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [245977.278774] RIP: 0010:_find_first_bit+0x19/0x40<br /> [245977.278796] Call Trace:<br /> [245977.278809] ? ice_misc_intr+0x364/0x380 [ice]<br /> <br /> This can occur if a Tx timestamp interrupt races with the driver reset<br /> logic.<br /> <br /> Fix this by only checking the in_use bitmap (and other fields) if the<br /> tracker is marked as initialized. The reset flow will clear the init field<br /> under lock before it tears the tracker down, thus preventing any<br /> use-after-free or NULL access.