CVE-2025-21682

EUVD-2025-2631

31.01.2025, 12:15

In the Linux kernel, the following vulnerability has been resolved:

eth: bnxt: always recalculate features after XDP clearing, fix null-deref

Recalculate features when XDP is detached.

Before:
  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
  # ip li set dev eth0 xdp off
  # ethtool -k eth0 | grep gro
  rx-gro-hw: off [requested on]

After:
  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
  # ip li set dev eth0 xdp off
  # ethtool -k eth0 | grep gro
  rx-gro-hw: on

The fact that HW-GRO doesn't get re-enabled automatically is just
a minor annoyance. The real issue is that the features will randomly
come back during another reconfiguration which just happens to invoke
netdev_update_features(). The driver doesn't handle reconfiguring
two things at a time very robustly.

Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") we only reconfigure the RSS hash table
if the "effective" number of Rx rings has changed. If HW-GRO is
enabled "effective" number of rings is 2x what user sees.
So if we are in the bad state, with HW-GRO re-enablement "pending"
after XDP off, and we lower the rings by / 2 - the HW-GRO rings
doing 2x and the ethtool -L doing / 2 may cancel each other out,
and the:

  if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

condition in __bnxt_reserve_rings() will be false.
The RSS map won't get updated, and we'll crash with:

  BUG: kernel NULL pointer dereference, address: 0000000000000168
  RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0
    bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180
    __bnxt_setup_vnic_p5+0x58/0x110
    bnxt_init_nic+0xb72/0xf50
    __bnxt_open_nic+0x40d/0xab0
    bnxt_open_nic+0x2b/0x60
    ethtool_set_channels+0x18c/0x1d0

As we try to access a freed ring.

The issue is present since XDP support was added, really, but
prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") it wasn't causing major issues.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.16 ≤ 𝑥 < 6.12.11
linux	linux_kernel	6.13:rc1
linux	linux_kernel	6.13:rc2
linux	linux_kernel	6.13:rc3
linux	linux_kernel	6.13:rc4
linux	linux_kernel	6.13:rc5
linux	linux_kernel	6.13:rc6
linux	linux_kernel	6.13:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	6.1.170-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	6.19.14-1 fixed
sid	7.0.3-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.85-1 fixed

linux-6.1

bullseye (security)

6.1.170-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5

4.12.14-122.247.1

fixed

dlm-kmp-default

suse enterprise server 12 SP5

4.12.14-122.247.1

fixed

gfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.247.1

fixed

kernel-64kb

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.26.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.26.1 fixed

kernel-default

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.247.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-default-base

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1.150600.12.16.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1.150600.12.16.2 fixed
suse enterprise server 12 SP5	4.12.14-122.247.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1.150600.12.16.2 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.247.1

fixed

kernel-docs

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.2 fixed

kernel-macros

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.247.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.2 fixed

kernel-source

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.247.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-source-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.26.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.26.1 fixed

kernel-syms

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 12 SP5	4.12.14-122.247.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.26.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.26.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.51.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.38.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.51.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.247.1

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/076a694a42ae3f0466bc6e4126050eeb7b7d299a

https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93

https://git.kernel.org/stable/c/90336fc3d6f5e716ac39a9ddbbde453e23a5aa65

https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd