CVE-2026-23438

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mvpp2: guard flow control update with global_tx_fc in buffer switching<br /> <br /> mvpp2_bm_switch_buffers() unconditionally calls<br /> mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and<br /> shared buffer pool modes. This function programs CM3 flow control<br /> registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference<br /> priv-&gt;cm3_base without any NULL check.<br /> <br /> When the CM3 SRAM resource is not present in the device tree (the<br /> third reg entry added by commit 60523583b07c ("dts: marvell: add CM3<br /> SRAM memory to cp11x ethernet device tree")), priv-&gt;cm3_base remains<br /> NULL and priv-&gt;global_tx_fc is false. Any operation that triggers<br /> mvpp2_bm_switch_buffers(), for example an MTU change that crosses<br /> the jumbo frame threshold, will crash:<br /> <br /> Unable to handle kernel NULL pointer dereference at<br /> virtual address 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000096000006<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> pc : readl+0x0/0x18<br /> lr : mvpp2_cm3_read.isra.0+0x14/0x20<br /> Call trace:<br /> readl+0x0/0x18<br /> mvpp2_bm_pool_update_fc+0x40/0x12c<br /> mvpp2_bm_pool_update_priv_fc+0x94/0xd8<br /> mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0<br /> mvpp2_change_mtu+0x140/0x380<br /> __dev_set_mtu+0x1c/0x38<br /> dev_set_mtu_ext+0x78/0x118<br /> dev_set_mtu+0x48/0xa8<br /> dev_ifsioc+0x21c/0x43c<br /> dev_ioctl+0x2d8/0x42c<br /> sock_ioctl+0x314/0x378<br /> <br /> Every other flow control call site in the driver already guards<br /> hardware access with either priv-&gt;global_tx_fc or port-&gt;tx_fc.<br /> mvpp2_bm_switch_buffers() is the only place that omits this check.<br /> <br /> Add the missing priv-&gt;global_tx_fc guard to both the disable and<br /> re-enable calls in mvpp2_bm_switch_buffers(), consistent with the<br /> rest of the driver.