CVE-2025-21682 Information

Feb 01, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

eth: bnxt: always recalculate features after XDP clearing fix null-deref

Recalculate features when XDP is detached.

Before: ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp ip li set dev eth0 xdp off ethtool -k eth0 | grep gro rx-gro-hw: off [requested on]

After: ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp ip li set dev eth0 xdp off ethtool -k eth0 | grep gro rx-gro-hw: on

The fact that HW-GRO doesn’t get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn’t handle reconfiguring two things at a time very robustly.

Starting with commit 98ba1d931f61 (nxt_en: Fix RSS logic in __bnxt_reserve_rings()) we only reconfigure the RSS hash table if the ffective\ number of Rx rings has changed. If HW-GRO is enabled ffective\ number of rings is 2x what user sees. So if we are in the bad state with HW-GRO re-enablement \pending\nafter XDP off and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out and the:

if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

condition in __bnxt_reserve_rings() will be false. The RSS map won’t get updated and we’ll crash with:

BUG: kernel NULL pointer dereference address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0

As we try to access a freed ring.

The issue is present since XDP support was added really but prior to commit 98ba1d931f61 (nxt_en: Fix RSS logic in __bnxt_reserve_rings()) it wasn’t causing major issues.

Reference

https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93 https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd

Share on: