CVE-2025-40076
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40076
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40076.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40076
- Downstream
- Published
- 2025-10-28T11:48:42Z
- Modified
- 2025-10-28T20:11:17.011206Z
- Summary
- PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
PCI: rcar-host: Pass proper IRQ domain to generichandledomain_irq()
Starting with commit dd26c1a23fd5 ("PCI: rcar-host: Switch to msicreateparentirqdomain()"), the MSI parent IRQ domain is NULL because the object of type struct irqdomaininfo passed to:
msicreateparentirqdomain() -> irqdomaininstantiate()() -> _irqdomain_instantiate()
has no reference to the parent IRQ domain. Using msi->domain->parent as an argument for generichandledomain_irq() leads to below error:
"Unable to handle kernel NULL pointer dereference at virtual address"This error was identified while switching the upcoming RZ/G3S PCIe host controller driver to msicreateparentirqdomain() (which was using a similar pattern to handle MSIs (see link section)), but it was not tested on hardware using the pcie-rcar-host controller driver due to lack of hardware.
[mani: reworded subject and description]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddd26c1a23fd5a607c50738ea0dcb6cdbb8185cfeFixede8e21aaf5d34015901cd271053a67a62b4204526
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddd26c1a23fd5a607c50738ea0dcb6cdbb8185cfeFixedd3fee10e40a938331e2aae34348691136db31304
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"digest": {
"length": 544.0,
"function_hash": "188467892218424177824739476056114621432"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8e21aaf5d34015901cd271053a67a62b4204526",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2025-40076-904a834a",
"target": {
"file": "drivers/pci/controller/pcie-rcar-host.c",
"function": "rcar_pcie_msi_irq"
}
},
{
"digest": {
"length": 544.0,
"function_hash": "188467892218424177824739476056114621432"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3fee10e40a938331e2aae34348691136db31304",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2025-40076-9c290e06",
"target": {
"file": "drivers/pci/controller/pcie-rcar-host.c",
"function": "rcar_pcie_msi_irq"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"109952072871180254186366658306600089396",
"45403998695649290951304182617946675409",
"298273499147457811377877368530952381614",
"295615248709502065307556961418320544974"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3fee10e40a938331e2aae34348691136db31304",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2025-40076-bf399a4f",
"target": {
"file": "drivers/pci/controller/pcie-rcar-host.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"109952072871180254186366658306600089396",
"45403998695649290951304182617946675409",
"298273499147457811377877368530952381614",
"295615248709502065307556961418320544974"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8e21aaf5d34015901cd271053a67a62b4204526",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2025-40076-ff88eb9c",
"target": {
"file": "drivers/pci/controller/pcie-rcar-host.c"
}
}
]