CVE-2025-21960

In the Linux kernel, the following vulnerability has been resolved:

eth: bnxt: do not update checksum in bnxtxdpbuild_skb()

The bnxtrxpkt() updates ipsummed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDPPASS, the bnxtxdpbuildskb() is called to update skbsharedinfo. The main purpose of bnxtxdpbuildskb() is to update skbsharedinfo, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work.

When the bnxtrxpkt() updates ipsummed value, it checks if ipsummed is CHECKSUMNONE or not. It means that ipsummed should be CHECKSUMNONE at this moment. But ipsummed may already be updated to CHECKSUMUNNECESSARY in the XDP-MB-PASS path. So the by skbchecksumnoneassert() WARNS about it.

This is duplicate work and updating ipsummed in the bnxtxdpbuildskb() is not needed.

Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxtrxpkt+0x479b/0x7610 [bnxten] Modules linked in: bnxtre bnxten rdmaucm rdmacm iwcm ibcm ibuverbs veth xtnat xttcpudp xtconntrack nftchainnat xtMASQUERADE nf] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxtrxpkt+0x479b/0x7610 [bnxten] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? warn+0xcd/0x2f0 ? bnxtrxpkt+0x479b/0x7610 ? reportbug+0x326/0x3c0 ? handlebug+0x53/0xa0 ? excinvalidop+0x14/0x50 ? asmexcinvalidop+0x16/0x20 ? bnxtrxpkt+0x479b/0x7610 ? bnxtrxpkt+0x3e41/0x7610 ? _pfxbnxtrxpkt+0x10/0x10 ? napicompletedone+0x2cf/0x7d0 _bnxtpollwork+0x4e8/0x1220 ? _pfxbnxtpollwork+0x10/0x10 ? _pfxmarklock.part.0+0x10/0x10 bnxtpollp5+0x36a/0xfa0 ? _pfxbnxtpollp5+0x10/0x10 _napipoll.constprop.0+0xa0/0x440 netrx_action+0x899/0xd00 ...

Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue.