IM
IronMonkey Threat Research

CVE-2025-71095 MEDIUM

Published: 2026-01-13 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: stmmac: solucionar el problema de bloqueo para la acción XDP_TX de copia cero Existe un problema de bloqueo al ejecutar la acción XDP_TX de copia cero; el registro de bloqueo se muestra a continuación. [ 216.122464] No se puede manejar la solicitud de paginación del kernel en la dirección virtual fffeffff80000000 [ 216.187524] Error interno: Oops: 0000000096000144 [#1] SMP [ 216.301694] Traza de llamadas: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Pánico del kernel - no sincronizando: Oops: Excepción fatal en interrupción Para la acción XDP_TX, el xdp_buff se convierte a xdp_frame mediante xdp_convert_buff_to_frame(). El tipo de memoria del xdp_frame resultante depende del tipo de memoria del xdp_buff. Para xdp_buff basado en pool de páginas, produce xdp_frame con tipo de memoria MEM_TYPE_PAGE_POOL. Para xdp_buff basado en pool XSK de copia cero, produce xdp_frame con tipo de memoria MEM_TYPE_PAGE_ORDER0. Sin embargo, stmmac_xdp_xmit_back() no verifica el tipo de memoria y siempre usa el tipo de pool de páginas, lo que lleva a mapeos inválidos y causa el bloqueo. Por lo tanto, verifique el tipo de memoria del xdp_buff en stmmac_xdp_xmit_back() para solucionar este problema.

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en NVD-CWE-noinfo

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdd67f140> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67da00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1df180> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8052f440> Operating System
linux linux_kernel 5.13 <built-in method update of dict object at 0x702bdd67c180> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b8052e900> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67e000> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc335140> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67fe40> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b8052e280> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b80e2e040> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67d1c0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b80e2c7c0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*

References

Notification
Message here