** Description changed:
+ [ Impact ]
+
+ net/sched: cls_api: fix error handling causing NULL dereference
+
+ tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
+ return 1 if the allocation succeeded after wrapping. This was treated as
+ an error, with value 1 returned to caller tcf_exts_init_ex() which sets
+ exts->actions to NULL and returns 1 to caller fl_change().
+
+ fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
+ which calls tcf_action_init() with exts->actions as argument, where it
+ is dereferenced.
+
+ [ Fix ]
+
+ Cherry pick the fix commit from mainline:
+ - 071ed42cff4f net/sched: cls_api: fix error handling causing NULL dereference
+
+ [ Test Plan ]
+
+ Compile tested.
+
+ [ Where Problems Could Occur ]
+
+ A regression here is unlikely due to the very limited scope
+ of the patch.
+
+ ---
+
Currently linux-bluefield is vulnerable to
https://ubuntu.com/security/CVE-2025-21857.
I encountered instances of this on several hundred BF3 cards that
crashed over time with a null pointer dereference causing outages.
-
- The latest Bluefield image builds are affected
https://github.com/Mellanox/bfb-build/blob/9e80eb358e7bb9e62328039745cc43d69eefc64a/ubuntu/22.04/Dockerfile#L33-L46
(bf-bundle-2.10.0-147_25.01_ubuntu-22.04)
+ The latest Bluefield image builds are affected
+ https://github.com/Mellanox/bfb-
+
build/blob/9e80eb358e7bb9e62328039745cc43d69eefc64a/ubuntu/22.04/Dockerfile#L33-L46
+ (bf-bundle-2.10.0-147_25.01_ubuntu-22.04)
The unpatched function in linux-bluefield:
https://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-bluefield/+git/jammy/tree/net/sched/cls_api.c?h=master-next#n99
static int
tcf_exts_miss_cookie_base_alloc(struct tcf_exts *exts, struct tcf_proto *tp,
- u32 handle)
+ u32 handle)
{
- // ...
- if (err)
- goto err_xa_alloc;
-
+ // ...
+ if (err)
+ goto err_xa_alloc;
The upstream one-liner:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 8e47e5355be613..4f648af8cfaafe 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -97,7 +97,7 @@ tcf_exts_miss_cookie_base_alloc(struct tcf_exts *exts,
struct tcf_proto *tp,
-
- err = xa_alloc_cyclic(&tcf_exts_miss_cookies_xa, &n->miss_cookie_base,
- n, xa_limit_32b, &next, GFP_KERNEL);
+
+ err = xa_alloc_cyclic(&tcf_exts_miss_cookies_xa, &n->miss_cookie_base,
+ n, xa_limit_32b, &next, GFP_KERNEL);
- if (err)
+ if (err < 0)
- goto err_xa_alloc;
+ goto err_xa_alloc;
** Also affects: linux-bluefield (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: linux-bluefield (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: linux-bluefield (Ubuntu Jammy)
Status: New => In Progress
** Changed in: linux-bluefield (Ubuntu Noble)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2109993
Title:
linux-bluefield is vulnerable to CVE-2025-21857
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2109993/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
