CVE-2025-21717

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21717
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21717.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21717
Downstream
Related
Published
2025-02-27T02:07:27Z
Modified
2025-10-09T21:33:39.103143Z
Summary
net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: add missing cputonode to kvzallocnode in mlx5eopenxdpredirectsq

kvzallocnode is not doing a runtime check on the node argument (allocpagesnodenoprof does have a VMBUGON, but it expands to nothing on !CONFIGDEBUGVM builds), so doing any ethtool/netlink operation that calls mlx5eopen on a CPU that's larger that MAXNUMNODES triggers OOB access and panic (see the trace below).

Add missing cputonode call to convert cpu id to node id.

[ 165.427394] mlx5core 0000:5c:00.0 beth1: Link up [ 166.479327] BUG: unable to handle page fault for address: 0000000800000010 [ 166.494592] #PF: supervisor read access in kernel mode [ 166.505995] #PF: errorcode(0x0000) - not-present page ... [ 166.816958] Call Trace: [ 166.822380] <TASK> [ 166.827034] ? diebody+0x64/0xb0 [ 166.834774] ? pagefaultoops+0x2cd/0x3f0 [ 166.843862] ? excpagefault+0x63/0x130 [ 166.852564] ? asmexcpagefault+0x22/0x30 [ 166.861843] ? _kvmallocnodenoprof+0x43/0xd0 [ 166.871897] ? getpartialnode+0x1c/0x320 [ 166.880983] ? deactivateslab+0x269/0x2b0 [ 166.890069] slaballoc+0x521/0xa90 [ 166.898389] ? _kvmallocnodenoprof+0x43/0xd0 [ 166.908442] _kmallocnodenoprof+0x216/0x3f0 [ 166.918302] ? _kvmallocnodenoprof+0x43/0xd0 [ 166.928354] _kvmallocnodenoprof+0x43/0xd0 [ 166.938021] mlx5eopenchannels+0x5e2/0xc00 [ 166.947496] mlx5eopenlocked+0x3e/0xf0 [ 166.956201] mlx5eopen+0x23/0x50 [ 166.963551] _devopen+0x114/0x1c0 [ 166.971292] _devchangeflags+0xa2/0x1b0 [ 166.980378] devchangeflags+0x21/0x60 [ 166.988887] dosetlink+0x38d/0xf20 [ 166.996628] ? eppollcallback+0x1b9/0x240 [ 167.005910] ? _nlavalidateparse.llvm.10713395753544950386+0x80/0xd70 [ 167.020782] ? _wakeupsynckey+0x52/0x80 [ 167.030066] ? _mutexlock+0xff/0x550 [ 167.038382] ? securitycapable+0x50/0x90 [ 167.047279] rtnlsetlink+0x1c9/0x210 [ 167.055403] ? eppollcallback+0x1b9/0x240 [ 167.064684] ? securitycapable+0x50/0x90 [ 167.073579] rtnetlinkrcvmsg+0x2f9/0x310 [ 167.082667] ? rtnetlinkbind+0x30/0x30 [ 167.091173] netlinkrcvskb+0xb1/0xe0 [ 167.099492] netlinkunicast+0x20f/0x2e0 [ 167.108191] netlinksendmsg+0x389/0x420 [ 167.116896] _syssendto+0x158/0x1c0 [ 167.125024] _x64syssendto+0x22/0x30 [ 167.133534] dosyscall64+0x63/0x130 [ 167.141657] ? _irqexitrcu.llvm.17843942359718260576+0x52/0xd0 [ 167.155181] entrySYSCALL64afterhwframe+0x4b/0x53

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb135e40129ddd254cfb474b58981313be79a631
Fixed
a275db45b4161d01716559dd7557db9ea0450952
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb135e40129ddd254cfb474b58981313be79a631
Fixed
979284535aaf12a287a2f43d9d5dfcbdc1dc4cac

Affected versions

v6.*

v6.12
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.2