CVE-2025-22065

With SRIOV enabled, idpf ends up calling into idpfremove() twice. First via idpfshutdown() and then again when idpfremove() calls into sriovdisable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference.

echo 1 > /sys/class/net/<netif>/device/sriov_numvfs reboot

BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpfremove+0x22/0x1f0 [idpf] ... ? idpfremove+0x22/0x1f0 [idpf] ? idpfremove+0x1e4/0x1f0 [idpf] pcideviceremove+0x3f/0xb0 devicereleasedriverinternal+0x19f/0x200 pcistopbusdevice+0x6d/0x90 pcistopandremovebusdevice+0x12/0x20 pciiovremovevirtfn+0xbe/0x120 sriovdisable+0x34/0xe0 idpfsriovconfigure+0x58/0x140 [idpf] idpfremove+0x1b9/0x1f0 [idpf] idpfshutdown+0x12/0x30 [idpf] pcideviceshutdown+0x35/0x60 device_shutdown+0x156/0x200 ...

Replace the direct idpfremove() call in idpfshutdown() with idpfvccoredeinit() and idpfdeinitdfltmbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e850efed5e152e6bdd367d5b82019f21298c0653

Fixed

79618e952ef4dfa1a17ee0631d5549603fab58d8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e850efed5e152e6bdd367d5b82019f21298c0653

Fixed

88a6d562e92a295648f8636acf2a6aa714241771

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e850efed5e152e6bdd367d5b82019f21298c0653

Fixed

9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e850efed5e152e6bdd367d5b82019f21298c0653

Fixed

4c9106f4906a85f6b13542d862e423bcdc118cc3

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.23

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.11

Type: ECOSYSTEM
Events: Introduced

6.14.0

Fixed

6.14.2