{"id":"CVE-2025-21682","summary":"eth: bnxt: always recalculate features after XDP clearing, fix null-deref","details":"In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: always recalculate features after XDP clearing, fix null-deref\n\nRecalculate features when XDP is detached.\n\nBefore:\n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n  # ip li set dev eth0 xdp off\n  # ethtool -k eth0 | grep gro\n  rx-gro-hw: off [requested on]\n\nAfter:\n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n  # ip li set dev eth0 xdp off\n  # ethtool -k eth0 | grep gro\n  rx-gro-hw: on\n\nThe fact that HW-GRO doesn't get re-enabled automatically is just\na minor annoyance. The real issue is that the features will randomly\ncome back during another reconfiguration which just happens to invoke\nnetdev_update_features(). The driver doesn't handle reconfiguring\ntwo things at a time very robustly.\n\nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table\nif the \"effective\" number of Rx rings has changed. If HW-GRO is\nenabled \"effective\" number of rings is 2x what user sees.\nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"\nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings\ndoing 2x and the ethtool -L doing / 2 may cancel each other out,\nand the:\n\n  if (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings &&\n\ncondition in __bnxt_reserve_rings() will be false.\nThe RSS map won't get updated, and we'll crash with:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000168\n  RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0\n    bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180\n    __bnxt_setup_vnic_p5+0x58/0x110\n    bnxt_init_nic+0xb72/0xf50\n    __bnxt_open_nic+0x40d/0xab0\n    bnxt_open_nic+0x2b/0x60\n    ethtool_set_channels+0x18c/0x1d0\n\nAs we try to access a freed ring.\n\nThe issue is present since XDP support was added, really, but\nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") it wasn't causing major issues.","modified":"2026-04-02T12:45:11.290218Z","published":"2025-01-31T11:25:42.160Z","related":["SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:0564-1","SUSE-SU-2025:0565-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21682.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/076a694a42ae3f0466bc6e4126050eeb7b7d299a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90336fc3d6f5e716ac39a9ddbbde453e23a5aa65"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21682.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21682"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1054aee82321483dceabbb9b9e5d6512e8fe684b"},{"fixed":"076a694a42ae3f0466bc6e4126050eeb7b7d299a"},{"fixed":"90336fc3d6f5e716ac39a9ddbbde453e23a5aa65"},{"fixed":"08831a894d18abfaabb5bbde7c2069a7fb41dd93"},{"fixed":"f0aa6a37a3dbb40b272df5fc6db93c114688adcd"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21682.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}