{"id":"CVE-2026-23438","summary":"net: mvpp2: guard flow control update with global_tx_fc in buffer switching","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n  Unable to handle kernel NULL pointer dereference at\n  virtual address 0000000000000000\n  Mem abort info:\n    ESR = 0x0000000096000006\n    EC = 0x25: DABT (current EL), IL = 32 bits\n  pc : readl+0x0/0x18\n  lr : mvpp2_cm3_read.isra.0+0x14/0x20\n  Call trace:\n   readl+0x0/0x18\n   mvpp2_bm_pool_update_fc+0x40/0x12c\n   mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n   mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n   mvpp2_change_mtu+0x140/0x380\n   __dev_set_mtu+0x1c/0x38\n   dev_set_mtu_ext+0x78/0x118\n   dev_set_mtu+0x48/0xa8\n   dev_ifsioc+0x21c/0x43c\n   dev_ioctl+0x2d8/0x42c\n   sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.","modified":"2026-07-16T03:31:12.148907446Z","published":"2026-04-03T15:15:22.701Z","related":["SUSE-SU-2026:22099-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22117-1","SUSE-SU-2026:22127-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:20965-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23438.json"},"references":[{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html"},{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0cfcd31f98fc608dc9406bff3fee3a9dd364d014"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23438.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23438"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3a616b92a9d17448d96a33bf58e69f01457fd43a"},{"fixed":"0cfcd31f98fc608dc9406bff3fee3a9dd364d014"},{"fixed":"da089f74a993f846685067b14158cb41b879ff29"},{"fixed":"ff0c54f088f7ab91dbbf47cf8244460f99122750"},{"fixed":"7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"},{"fixed":"7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"},{"fixed":"8baced53a35fc9710f80d6ca016a2c418dc3231f"},{"fixed":"8a63baadf08453f66eb582fdb6dd234f72024723"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23438.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.12.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23438.json"}}],"schema_version":"1.7.5"}