DEBIAN-CVE-2025-21883

In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If iceenavfs() fails after calling icecreatevfentries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriovnumvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriovnumvfs Trace (minimized): listadd corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/listdebug.c:29! RIP: 0010:_listaddvalidorreport+0xa6/0x100 icembxinitvfinfo+0xa7/0x180 [ice] iceinitializevfentry+0x1fa/0x250 [ice] icesriovconfigure+0x8d7/0x1520 [ice] ? _percpurefswitchmode+0x1b1/0x5d0 ? _pfxicesriovconfigure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in _listaddvalidorreport+0xf1/0x100 VFs are added to this list in icembxinitvfinfo(), but only removed in icefreevfs(). Move the removing to icefreevfentries(), which is also being called in other places where VFs are being removed (including icefreevfs() itself).