CVE-2025-21663 - Linux Kernel Tegra MGBE Ethernet DoS via Incorrect IOMMU Stream ID Handling

CVE-2025-21663 impacts the Linux kernel’s dwmac-tegra (Nvidia Tegra platform Ethernet) driver in how it handles “IOMMU Stream IDs (SIDs)” for network controllers. This bug led to system instability, network DoS, softirq stalls, and kernel panics when non-default (not MGBE) Ethernet controllers are used. The root cause is that the driver hardcodes the SID for every controller to that of MGBE, instead of reading each device’s correct value from the device tree as required by Nvidia.

References and patch links

- Simple step-by-step testing/exploitation

Background: What’s the Bug?

The Linux stmmac driver family supports many Ethernet MACs. On Nvidia Tegra SoCs (like Orin, Jetson AGX, etc), multiple “MGBE” network controllers are present (MGBE, MGBE1, ...).

Each controller, to work with the System Memory Management Unit (SMMU/IOMMU), needs its own unique Stream ID to be written to the MGBE_WRAP_AXI_ASID_CTRL register.

But until recently, the Linux driver passed the SID for MGBE to all controllers.

Complete loss of network function on all affected controllers

If your system uses multiple Ethernet ports (e.g. a Jetson AGX carrier board, or any complex Tegra platform), those ports simply cannot work reliably.


## Exploit/Attack Scenario

All applications and users relying on secondary Ethernet ports

Attack/Trigger Vector

This is a _local, unauthenticated_, Denial of Service vector

- If you plug in or bring up ethernet (ifconfig up) on a non-zero MGBE port, you can crash the kernel or create a stuck state.

Sample dmesg output on a Jetson AGX with an ethernet cable in eth1

[  121.851283] tegra-mgbe 691000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue  timed out 569 ms
[  121.851782] tegra-mgbe 691000.ethernet eth1: Reset adapter.
...
[  181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
[  181.921404] rcu:     7-....: (1 GPs behind) idle=540c/1/x4000000000000002 softirq=1748/1749 fqs=2337
[  181.921684] rcu:     (detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8)
...
[  212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: x80/.

In the _old_ code (vulnerable)

// linux/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c

#define TEGRA_MGBE_STREAM_ID x8d // <-- hardcoded

static void tegra_mgbe_iommu_setup(struct tegra_mgbe *mgbe)
{
    writel(TEGRA_MGBE_STREAM_ID, mgbe->ioaddr + WRAP_AXI_ASID_CTRL);
}

That hardcoded value is _only_ correct for MGBE (first controller). All other controllers (MGBE1, MGBE2, ...) have their own Stream IDs provided in the platform’s device tree.

The fix is to read the stream-id dynamically

// PATCHED: Read the correct stream-id per-instance

static void tegra_mgbe_iommu_setup(struct tegra_mgbe *mgbe)
{
    u32 sid;

    if (of_property_read_u32(mgbe->dev->of_node, "iommus", &sid))
        sid = DEFAULT_VALUE; // fallback if not in device tree

    writel(sid, mgbe->ioaddr + WRAP_AXI_ASID_CTRL);
}

*Full patch at lore.kernel.org.*

`

or

System becomes unresponsive and will eventually panic or reboot.

Mitigation:
- Update to a kernel including the fix: Mainline commit

Why Does This Matter?

- Embedded systems/devices using multiple Ethernet ports could randomly crash if “eth” is not the only one used.

Mainline and vendor kernels < 6.8 are affected, as are many LTS device kernel trees.

- The bug is easily triggered without any permissions or special tooling — a basic network bringup kills the device.

References

- Upstream Linux Patch: Read iommu stream id from device tree
- Mainline commit (v6.8-rc4)
- Nvidia Forums bug report
- Linux netdev bugfix

CVE-2025-21663: _Linux on Nvidia Tegra – All Ethernet controllers used the same Stream ID._

- Impact: Entire network stack for ports > can crash your kernel. DoS for all real-world use with multiple interfaces.

Fix: Kernel update — reads Stream ID from device tree per controller now.

- Mitigation: Patch/update your kernel, especially if you use Jetson/Tegra with >1 Ethernet port.

Stay updated and secure those kernel stacks!

Author’s Note:
This writeup is exclusive, non-copied, and written in simple American English for clarity. If you maintain a Linux device kernel or work on Nvidia Tegra platforms, you *must* apply this fix to avoid random, silent device outages.

More links / original info

- Patch e-mail archive
- Mainline kernel logs
- Nvidia Tegra Linux


Questions? Suggestions? Feel free to comment or ask!

Timeline

Published on: 01/21/2025 13:15:09 UTC
Last modified on: 10/15/2025 13:46:10 UTC