[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072501-CVE-2025-38439-3f3b@gregkh>
Date: Fri, 25 Jul 2025 17:28:01 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38439: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()
with the proper length instead of 0. This bug triggers this warning
on a system with IOMMU enabled:
WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170
RIP: 0010:__iommu_dma_unmap+0x159/0x170
Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45
b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00
RSP: 0018:ff22d31181150c88 EFLAGS: 00010206
RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000
R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000
R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00
FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0
PKRU: 55555554
Call Trace:
<IRQ>
? show_regs+0x6d/0x80
? __warn+0x89/0x160
? __iommu_dma_unmap+0x159/0x170
? report_bug+0x17e/0x1b0
? handle_bug+0x46/0x90
? exc_invalid_op+0x18/0x80
? asm_exc_invalid_op+0x1b/0x20
? __iommu_dma_unmap+0x159/0x170
? __iommu_dma_unmap+0xb3/0x170
iommu_dma_unmap_page+0x4f/0x100
dma_unmap_page_attrs+0x52/0x220
? srso_alias_return_thunk+0x5/0xfbef5
? xdp_return_frame+0x2e/0xd0
bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]
__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]
bnxt_poll+0xd3/0x1e0 [bnxt_en]
The Linux kernel CVE team has assigned CVE-2025-38439 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 5.4.296 with commit e260f4d49370c85a4701d43c6d16b8c39f8b605f
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 5.10.240 with commit 16ae306602163fcb7ae83f2701b542e43c100cee
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 5.15.189 with commit 8d672a1a6bfc81fef9151925c9c0481f4acf4bec
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 6.1.146 with commit f9eaf6d036075dc820520e1194692c0619b7297b
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 6.6.99 with commit 5909679a82cd74cf0343d9e3ddf4b6931aa7e613
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 6.12.39 with commit f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 6.15.7 with commit 50dad9909715094e7d9ca25e9e0412b875987519
Issue introduced in 5.3 with commit f18c2b77b2e4eec2313d519ba125bd6a069513cf and fixed in 6.16-rc6 with commit 3cdf199d4755d477972ee87110b2aebc88b3cfad
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38439
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/e260f4d49370c85a4701d43c6d16b8c39f8b605f
https://git.kernel.org/stable/c/16ae306602163fcb7ae83f2701b542e43c100cee
https://git.kernel.org/stable/c/8d672a1a6bfc81fef9151925c9c0481f4acf4bec
https://git.kernel.org/stable/c/f9eaf6d036075dc820520e1194692c0619b7297b
https://git.kernel.org/stable/c/5909679a82cd74cf0343d9e3ddf4b6931aa7e613
https://git.kernel.org/stable/c/f154e41e1d9d15ab21300ba7bbf0ebb5cb3b9c2a
https://git.kernel.org/stable/c/50dad9909715094e7d9ca25e9e0412b875987519
https://git.kernel.org/stable/c/3cdf199d4755d477972ee87110b2aebc88b3cfad
Powered by blists - more mailing lists