CVE-2026-23041

In the Linux kernel, the following vulnerability has been resolved:

bnxten: Fix NULL pointer crash in bnxtptp_enable during error cleanup

When bnxtinitone() fails during initialization (e.g., bnxtinitintmode returns -ENODEV), the error path calls bnxtfreehwrmresources() which destroys the DMA pool and sets bp->hwrmdmapool to NULL. Subsequently, bnxtptpclear() is called, which invokes ptpclockunregister().

Since commit a60fc3294a37 ("ptp: rework ptpclockunregister() to disable events"), ptpclockunregister() now calls ptpdisableallevents(), which in turn invokes the driver's .enable() callback (bnxtptp_enable()) to disable PTP events before completing the unregistration.

bnxtptpenable() attempts to send HWRM commands via bnxtptpcfgpin() and bnxtptpcfgevent(), both of which call hwrmreqinit(). This function tries to allocate from bp->hwrmdmapool, causing a NULL pointer dereference:

bnxten 0000:01:00.0 (unnamed netdevice) (uninitialized): bnxtinitint_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: _hwrmreqinit (drivers/net/ethernet/broadcom/bnxt/bnxthwrm.c:72) bnxtptpenable (drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:517) ptpdisableallevents (drivers/ptp/ptpchardev.c:66) ptpclockunregister (drivers/ptp/ptpclock.c:518) bnxtptpclear (drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:1134) bnxtinitone (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)

Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")

Fix this by clearing and unregistering ptp (bnxtptpclear()) before freeing HWRM resources.