The full kernel trace that I got. May 02 07:19:27 <redacted>-bf3-a kernel: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 May 02 07:19:27 <redacted>-bf3-a kernel: Mem abort info: May 02 07:19:27 <redacted>-bf3-a kernel: ESR = 0x0000000096000044 May 02 07:19:27 <redacted>-bf3-a kernel: EC = 0x25: DABT (current EL), IL = 32 bits May 02 07:19:27 <redacted>-bf3-a kernel: SET = 0, FnV = 0 May 02 07:19:27 <redacted>-bf3-a kernel: EA = 0, S1PTW = 0 May 02 07:19:27 <redacted>-bf3-a kernel: FSC = 0x04: level 0 translation fault May 02 07:19:27 <redacted>-bf3-a kernel: Data abort info: May 02 07:19:27 <redacted>-bf3-a kernel: ISV = 0, ISS = 0x00000044 May 02 07:19:27 <redacted>-bf3-a kernel: CM = 0, WnR = 1 May 02 07:19:27 <redacted>-bf3-a kernel: user pgtable: 4k pages, 48-bit VAs, pgdp=000000019915d000 May 02 07:19:27 <redacted>-bf3-a kernel: [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 May 02 07:19:29 <redacted>-bf3-a kernel: Internal error: Oops: 0000000096000044 [#1] SMP May 02 07:19:29 <redacted>-bf3-a kernel: Modules linked in: act_tunnel_key act_ct nf_flow_table act_csum act_pedit xt_multiport geneve ip6_udp_tunnel udp_tunnel nf_conntrack_netlink dummy sbsa_gwdt xfrm_interface xfrm6_tunnel tunnel6 tunnel4 xfrm_user xfrm_algo nvm> May 02 07:19:29 <redacted>-bf3-a kernel: tls crypto_simd cryptd psample mlxdevm(O) nvme(O) aes_ce_cipher gpio_mlxbf3 crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce vitesse nvme_core(O) mlx_compat(O) sdhci_of_dwcmshc sdhci_pltfm sdhci i2c_mlxbf mlxbf_gige mlxbf> May 02 07:19:29 <redacted>-bf3-a kernel: CPU: 14 PID: 3079621 Comm: handler12 Tainted: G O 5.15.0-1050-bluefield #52-Ubuntu May 02 07:19:29 <redacted>-bf3-a kernel: Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.8.0.13249 Aug 7 2024 May 02 07:19:29 <redacted>-bf3-a kernel: pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) May 02 07:19:29 <redacted>-bf3-a kernel: pc : tcf_action_init+0x200/0x340 May 02 07:19:29 <redacted>-bf3-a kernel: lr : tcf_action_init+0x1f4/0x340 May 02 07:19:29 <redacted>-bf3-a kernel: sp : ffff80000ed23190 May 02 07:19:29 <redacted>-bf3-a kernel: x29: ffff80000ed23190 x28: 00000000000000e0 x27: 0000000000000000 May 02 07:19:29 <redacted>-bf3-a kernel: x26: ffff0001191dbc00 x25: ffffd48bee06dcc0 x24: ffff80000ed2349c May 02 07:19:29 <redacted>-bf3-a kernel: x23: ffff0000ea8ed400 x22: ffff80000ed23950 x21: 0000000000000000 May 02 07:19:29 <redacted>-bf3-a kernel: x20: 00000000000a0000 x19: ffff80000ed23220 x18: 0000000000000000 May 02 07:19:29 <redacted>-bf3-a kernel: x17: 0000000000000000 x16: ffffd48beb31d3d0 x15: 0000ffff78006f80 May 02 07:19:29 <redacted>-bf3-a kernel: x14: 0000000000000391 x13: 0000000000000000 x12: 000000000000038c May 02 07:19:29 <redacted>-bf3-a kernel: x11: 0000000000000005 x10: 000000000000036a x9 : ffffd48bec156a90 May 02 07:19:29 <redacted>-bf3-a kernel: x8 : ffff00019fd17b00 x7 : 0000000000000000 x6 : 000000000000003f May 02 07:19:29 <redacted>-bf3-a kernel: x5 : 0000000000000040 x4 : ffff80000ed22fb0 x3 : ffff0000ea8ed400 May 02 07:19:29 <redacted>-bf3-a kernel: x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000000000e0 May 02 07:19:29 <redacted>-bf3-a kernel: Call trace: May 02 07:19:29 <redacted>-bf3-a kernel: tcf_action_init+0x200/0x340 May 02 07:19:29 <redacted>-bf3-a kernel: tcf_exts_validate+0x16c/0x184 May 02 07:19:29 <redacted>-bf3-a kernel: fl_set_parms+0x6c/0x5f0 [cls_flower] May 02 07:19:29 <redacted>-bf3-a kernel: fl_change+0x3a0/0xc2c [cls_flower] May 02 07:19:29 <redacted>-bf3-a kernel: tc_new_tfilter+0x2f4/0x8bc May 02 07:19:29 <redacted>-bf3-a kernel: rtnetlink_rcv_msg+0x2e8/0x3c4 May 02 07:19:29 <redacted>-bf3-a kernel: netlink_rcv_skb+0x64/0x130 May 02 07:19:29 <redacted>-bf3-a kernel: rtnetlink_rcv+0x20/0x30 May 02 07:19:29 <redacted>-bf3-a kernel: netlink_unicast+0x2ec/0x360 May 02 07:19:29 <redacted>-bf3-a kernel: netlink_sendmsg+0x278/0x490 May 02 07:19:29 <redacted>-bf3-a kernel: __sock_sendmsg+0x5c/0x6c May 02 07:19:29 <redacted>-bf3-a kernel: ____sys_sendmsg+0x290/0x2d4 May 02 07:19:29 <redacted>-bf3-a kernel: ___sys_sendmsg+0x84/0xd0 May 02 07:19:29 <redacted>-bf3-a kernel: __sys_sendmsg+0x70/0xd0 May 02 07:19:29 <redacted>-bf3-a kernel: __arm64_sys_sendmsg+0x2c/0x40 May 02 07:19:29 <redacted>-bf3-a kernel: invoke_syscall+0x78/0x100 May 02 07:19:29 <redacted>-bf3-a kernel: el0_svc_common.constprop.0+0x54/0x184 May 02 07:19:29 <redacted>-bf3-a kernel: do_el0_svc+0x30/0xac May 02 07:19:29 <redacted>-bf3-a kernel: el0_svc+0x48/0x160 May 02 07:19:29 <redacted>-bf3-a kernel: el0t_64_sync_handler+0xa4/0x12c May 02 07:19:29 <redacted>-bf3-a kernel: el0t_64_sync+0x1a4/0x1a8 May 02 07:19:29 <redacted>-bf3-a kernel: Code: 97fff794 91001318 f94033e1 8b00039c (f8357837)
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/2109993 Title: linux-bluefield is vulnerable to CVE-2025-21857 Status in linux-bluefield package in Ubuntu: Confirmed Bug description: Currently linux-bluefield is vulnerable to https://ubuntu.com/security/CVE-2025-21857. I encountered instances of this on several hundred BF3 cards that crashed over time with a null pointer dereference causing outages. The latest Bluefield image builds are affected https://github.com/Mellanox/bfb-build/blob/9e80eb358e7bb9e62328039745cc43d69eefc64a/ubuntu/22.04/Dockerfile#L33-L46 (bf-bundle-2.10.0-147_25.01_ubuntu-22.04) The unpatched function in linux-bluefield: https://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-bluefield/+git/jammy/tree/net/sched/cls_api.c?h=master-next#n99 static int tcf_exts_miss_cookie_base_alloc(struct tcf_exts *exts, struct tcf_proto *tp, u32 handle) { // ... if (err) goto err_xa_alloc; The upstream one-liner: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 8e47e5355be613..4f648af8cfaafe 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -97,7 +97,7 @@ tcf_exts_miss_cookie_base_alloc(struct tcf_exts *exts, struct tcf_proto *tp, err = xa_alloc_cyclic(&tcf_exts_miss_cookies_xa, &n->miss_cookie_base, n, xa_limit_32b, &next, GFP_KERNEL); - if (err) + if (err < 0) goto err_xa_alloc; To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2109993/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
