vulnerability

Ubuntu: (Multiple Advisories) (CVE-2025-21682): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Jan 31, 2025	Apr 24, 2025	Aug 18, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Jan 31, 2025

Added

Apr 24, 2025

Modified

Aug 18, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

eth: bnxt: always recalculate features after XDP clearing, fix null-deref

Recalculate features when XDP is detached.

Before:
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth0 xdp off
# ethtool -k eth0 | grep gro
rx-gro-hw: off [requested on]

After:
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth0 xdp off
# ethtool -k eth0 | grep gro
rx-gro-hw: on

The fact that HW-GRO doesn't get re-enabled automatically is just
a minor annoyance. The real issue is that the features will randomly
come back during another reconfiguration which just happens to invoke
netdev_update_features(). The driver doesn't handle reconfiguring
two things at a time very robustly.

Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") we only reconfigure the RSS hash table
if the "effective" number of Rx rings has changed. If HW-GRO is
enabled "effective" number of rings is 2x what user sees.
So if we are in the bad state, with HW-GRO re-enablement "pending"
after XDP off, and we lower the rings by / 2 - the HW-GRO rings
doing 2x and the ethtool -L doing / 2 may cancel each other out,
and the:

if (old_rx_rings != bp->hw_resc.resv_rx_rings &&

condition in __bnxt_reserve_rings() will be false.
The RSS map won't get updated, and we'll crash with:

BUG: kernel NULL pointer dereference, address: 0000000000000168
RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0
bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180
__bnxt_setup_vnic_p5+0x58/0x110
bnxt_init_nic+0xb72/0xf50
__bnxt_open_nic+0x40d/0xab0
bnxt_open_nic+0x2b/0x60
ethtool_set_channels+0x18c/0x1d0

As we try to access a freed ring.

The issue is present since XDP support was added, really, but
prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") it wasn't causing major issues.

Solutions

ubuntu-upgrade-linux-image-6-11-0-1008-realtimeubuntu-upgrade-linux-image-6-11-0-1011-raspiubuntu-upgrade-linux-image-6-11-0-1012-awsubuntu-upgrade-linux-image-6-11-0-1012-lowlatencyubuntu-upgrade-linux-image-6-11-0-1012-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1013-azureubuntu-upgrade-linux-image-6-11-0-1013-azure-fdeubuntu-upgrade-linux-image-6-11-0-1013-gcpubuntu-upgrade-linux-image-6-11-0-1013-gcp-64kubuntu-upgrade-linux-image-6-11-0-1014-oracleubuntu-upgrade-linux-image-6-11-0-1014-oracle-64kubuntu-upgrade-linux-image-6-11-0-1020-oemubuntu-upgrade-linux-image-6-11-0-24-genericubuntu-upgrade-linux-image-6-11-0-24-generic-64kubuntu-upgrade-linux-image-6-8-0-1013-gkeopubuntu-upgrade-linux-image-6-8-0-1018-azure-nvidiaubuntu-upgrade-linux-image-6-8-0-1026-gkeubuntu-upgrade-linux-image-6-8-0-1027-ibmubuntu-upgrade-linux-image-6-8-0-1027-oracleubuntu-upgrade-linux-image-6-8-0-1027-oracle-64kubuntu-upgrade-linux-image-6-8-0-1029-nvidiaubuntu-upgrade-linux-image-6-8-0-1029-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1029-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1029-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1029-oemubuntu-upgrade-linux-image-6-8-0-1029-raspiubuntu-upgrade-linux-image-6-8-0-1030-awsubuntu-upgrade-linux-image-6-8-0-1030-aws-64kubuntu-upgrade-linux-image-6-8-0-1030-azureubuntu-upgrade-linux-image-6-8-0-1030-azure-fdeubuntu-upgrade-linux-image-6-8-0-1031-gcpubuntu-upgrade-linux-image-6-8-0-1031-gcp-64kubuntu-upgrade-linux-image-6-8-0-2024-raspi-realtimeubuntu-upgrade-linux-image-6-8-0-62-genericubuntu-upgrade-linux-image-6-8-0-62-generic-64kubuntu-upgrade-linux-image-6-8-0-62-lowlatencyubuntu-upgrade-linux-image-6-8-0-62-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-64-genericubuntu-upgrade-linux-image-6-8-0-64-generic-64kubuntu-upgrade-linux-image-6-8-1-1023-realtimeubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-64kubuntu-upgrade-linux-image-aws-64k-lts-24-04ubuntu-upgrade-linux-image-aws-lts-24-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-lts-24-04ubuntu-upgrade-linux-image-azure-lts-24-04ubuntu-upgrade-linux-image-azure-nvidiaubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-64kubuntu-upgrade-linux-image-gcp-64k-lts-24-04ubuntu-upgrade-linux-image-gcp-lts-24-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-6-8ubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-6-8ubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-64k-lts-24-04ubuntu-upgrade-linux-image-oracle-lts-24-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-realtimeubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-6-8ubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today