DEBIAN-CVE-2026-23041

In the Linux kernel, the following vulnerability has been resolved: bnxten: Fix NULL pointer crash in bnxtptpenable during error cleanup When bnxtinitone() fails during initialization (e.g., bnxtinitintmode returns -ENODEV), the error path calls bnxtfreehwrmresources() which destroys the DMA pool and sets bp->hwrmdmapool to NULL. Subsequently, bnxtptpclear() is called, which invokes ptpclockunregister(). Since commit a60fc3294a37 ("ptp: rework ptpclockunregister() to disable events"), ptpclockunregister() now calls ptpdisableallevents(), which in turn invokes the driver's .enable() callback (bnxtptpenable()) to disable PTP events before completing the unregistration. bnxtptpenable() attempts to send HWRM commands via bnxtptpcfgpin() and bnxtptpcfgevent(), both of which call hwrmreqinit(). This function tries to allocate from bp->hwrmdmapool, causing a NULL pointer dereference: bnxten 0000:01:00.0 (unnamed netdevice) (uninitialized): bnxtinitint_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: _hwrmreqinit (drivers/net/ethernet/broadcom/bnxt/bnxthwrm.c:72) bnxtptpenable (drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:517) ptpdisableallevents (drivers/ptp/ptpchardev.c:66) ptpclockunregister (drivers/ptp/ptpclock.c:518) bnxtptpclear (drivers/net/ethernet/broadcom/bnxt/bnxtptp.c:1134) bnxtinitone (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxtptpclear()) before freeing HWRM resources.