CVE-2025-39769 in Linux
Summary
by MITRE • 09/11/2025
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix lockdep warning during rmmod
The commit under the Fixes tag added a netdev_assert_locked() in bnxt_free_ntp_fltrs(). The lock should be held during normal run-time but the assert will be triggered (see below) during bnxt_remove_one() which should not need the lock. The netdev is already unregistered by then. Fix it by calling netdev_assert_locked_or_invisible() which will not assert if the netdev is unregistered.
WARNING: CPU: 5 PID: 2241 at ./include/net/netdev_lock.h:17 bnxt_free_ntp_fltrs+0xf8/0x100 [bnxt_en]
Modules linked in: rpcrdma rdma_cm iw_cm ib_cm configfs ib_core bnxt_en(-) bridge stp llc x86_pkg_temp_thermal xfs tg3 [last unloaded: bnxt_re]
CPU: 5 UID: 0 PID: 2241 Comm: rmmod Tainted: G S W 6.16.0 #2 PREEMPT(voluntary) Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:bnxt_free_ntp_fltrs+0xf8/0x100 [bnxt_en]
Code: 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 47 60 be ff ff ff ff 48 8d b8 28 0c 00 00 e8 d0 cf 41 c3 85 c0 0f 85 2e ff ff ff <0f> 0b e9 27 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa92082387da0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff9e5b593d8000 RCX: 0000000000000001 RDX: 0000000000000001 RSI: ffffffff83dc9a70 RDI: ffffffff83e1a1cf RBP: ffff9e5b593d8c80 R08: 0000000000000000 R09: ffffffff8373a2b3 R10: 000000008100009f R11: 0000000000000001 R12: 0000000000000001 R13: ffffffffc01c4478 R14: dead000000000122 R15: dead000000000100 FS: 00007f3a8a52c740(0000) GS:ffff9e631ad1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055bb289419c8 CR3: 000000011274e001 CR4: 00000000003706f0 Call Trace: <TASK> bnxt_remove_one+0x57/0x180 [bnxt_en]
pci_device_remove+0x39/0xc0 device_release_driver_internal+0xa5/0x130 driver_detach+0x42/0x90 bus_remove_driver+0x61/0xc0 pci_unregister_driver+0x38/0x90 bnxt_exit+0xc/0x7d0 [bnxt_en]
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/27/2025
The vulnerability described in CVE-2025-39769 affects the Linux kernel's bnxt_en driver, specifically within the network device management subsystem. This issue manifests as a lockdep warning during module removal operations, highlighting a flaw in how the driver handles locking assertions when cleaning up network device resources. The problem arises from an incorrect use of the netdev_assert_locked() function within the bnxt_free_ntp_fltrs() routine, which triggers a kernel warning when the module is unloaded through rmmod. The root cause stems from the driver attempting to validate lock ownership on a network device that has already been unregistered during the removal process, leading to a false positive assertion failure.
The technical flaw occurs when the bnxt_remove_one() function executes during module unload, which calls bnxt_free_ntp_fltrs() without holding the necessary network device lock. The original implementation used netdev_assert_locked() which strictly enforces lock ownership, but during module removal, the network device is no longer registered and therefore does not require lock validation. This situation violates the expected behavior of kernel locking mechanisms and can lead to kernel warnings that indicate potential race conditions or improper synchronization. The warning specifically points to the bnxt_free_ntp_fltrs function in the bnxt_en module, where the lock assertion fails due to the device state being inconsistent with the locking requirements. According to CWE-664, this represents an improper control of a resource through time, as the driver fails to properly manage resource access during different operational phases of the network device lifecycle.
The operational impact of this vulnerability primarily affects systems running the Linux kernel with the bnxt_en driver, particularly those utilizing Broadcom network adapters. During normal operation, the driver functions correctly, but the warning appears specifically when attempting to unload the module, which could indicate improper handling of device cleanup routines. While the immediate impact may be limited to kernel log warnings rather than system instability, such issues can mask more serious underlying problems and may indicate improper resource management that could potentially be exploited in specific scenarios. The vulnerability aligns with ATT&CK technique T1547.001, which involves establishing persistence through kernel modules, as improper module cleanup could potentially be leveraged in more sophisticated attack vectors. The warning indicates a failure in the driver's internal consistency checks and could be exploited to cause denial of service or information disclosure if attackers can trigger the specific conditions leading to the assertion failure.
The fix implemented addresses the core issue by replacing netdev_assert_locked() with netdev_assert_locked_or_invisible() in the bnxt_free_ntp_fltrs() function. This change allows the assertion to pass when the network device is no longer registered, effectively handling the case where the device state has transitioned from active to unregistered during module removal. The solution adheres to proper kernel programming practices by ensuring that locking assertions are contextually appropriate for the current state of the network device. This modification prevents false positive warnings while maintaining proper locking behavior during normal runtime operations when the device is still active and requires proper synchronization. The fix aligns with industry best practices for kernel module development and follows the established patterns for handling device lifecycle management in the Linux kernel networking subsystem, ensuring that the driver properly transitions between different operational states without triggering unnecessary warnings or assertions.