CVE-2025-68220
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error
Make knav_dma_open_channel consistently return NULL on error instead of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h returns NULL when the driver is disabled, but the driver implementation does not even return NULL or ERR_PTR on failure, causing inconsistency in the users. This results in a crash in netcp_free_navigator_resources as followed (trimmed):
Unhandled fault: alignment exception (0x221) at 0xfffffff2 [fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000 Internal error: : 221 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE Hardware name: Keystone PC is at knav_dma_close_channel+0x30/0x19c LR is at netcp_free_navigator_resources+0x2c/0x28c
[... TRIM...]
Call trace: knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c netcp_ndo_open from __dev_open+0x114/0x29c __dev_open from __dev_change_flags+0x190/0x208 __dev_change_flags from netif_change_flags+0x1c/0x58 netif_change_flags from dev_change_flags+0x38/0xa0 dev_change_flags from ip_auto_config+0x2c4/0x11f0 ip_auto_config from do_one_initcall+0x58/0x200 do_one_initcall from kernel_init_freeable+0x1cc/0x238 kernel_init_freeable from kernel_init+0x1c/0x12c kernel_init from ret_from_fork+0x14/0x38 [... TRIM...]
Standardize the error handling by making the function return NULL on all error conditions. The API is used in just the netcp_core.c so the impact is limited.
Note, this change, in effect reverts commit 5b6cb43b4d62 ("net: ethernet: ti: netcp_core: return error while dma channel open issue"), but provides a less error prone implementation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's TI NetCP driver, knav_dma_open_channel returns inconsistent error values, leading to a NULL pointer dereference and crash during network interface open.
Root
Cause
The vulnerability lies in the TI Keystone Navigator DMA (knav_dma) driver) API. The function knav_dma_open_channel does not consistently return NULL on failure. The header file include/linux/soc/ti/knav_dma.h declares that it returns NULL when the driver is disabled, but the actual implementation returns an uninitialized or ERR_PTR value on error. This inconsistency causes callers, specifically netcp_free_navigator_resources, to treat a non-NULL error pointer as a valid channel, leading to a crash when knav_dma_close_channel is called on that invalid pointer [1].
Exploitation
The bug is triggered during the network interface open sequence (netcp_ndo_open). When knav_dma_open_channel fails, it returns an invalid pointer instead of NULL. The caller netcp_free_navigator_resources then passes this pointer to knav_dma_close_channel, which dereferences it, causing an alignment exception and kernel panic. The attack surface is local; an attacker with the ability to trigger a network interface open (e.g., via ip link set up) on a system with the TI NetCP driver can cause a denial of service. No authentication is required beyond local access to the network interface [1].
Impact
A successful exploit results in a denial of service (system crash) due to a kernel NULL pointer dereference or alignment fault. The crash trace shows an "Unhandled fault: alignment exception" at address 0xfffffff2, indicating the invalid pointer was used as a channel handle. This can lead to system unavailability, especially during boot if the interface is brought up automatically [1].
Mitigation
The fix standardizes knav_dma_open_channel to return NULL on all error conditions, ensuring callers can safely check for failure. The patch has been applied to the Linux kernel stable tree. Users should update to a update to a kernel version containing the commit af6b10a13fc0 or later. No workaround is available other than avoiding the use of the affected driver or network interface [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5nvd
- git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259nvd
- git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353bnvd
- git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5nvd
- git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373nvd
- git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3nvd
- git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9nvd
- git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2bnvd
News mentions
0No linked articles in our index yet.