CVE-2025-21799

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65cpswnussremovetx_chns()

When getting the IRQ we use k3udmagluetxget_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid.

There is no issue at probe time but at runtime user can invoke .setchannels which results in the following call chain. am65cpswsetchannels() am65cpswnussupdatetxrxchns() am65cpswnussremovetxchns() am65cpswnussinittxchns()

At this point if am65cpswnussinittxchns() fails due to k3udmagluetxgetirq() then tx_chn->irq will be set to a negative value.

Then, at subsequent .setchannels with higher channel count we will attempt to free an invalid IRQ in am65cpswnussremovetxchns() leading to a kernel warning.

The issue is present in the original commit that introduced this driver, although there, am65cpswnussupdatetxrxchns() existed as am65cpswnussupdatetx_chns().