CVE-2025-22031

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion<br /> <br /> When BIOS neglects to assign bus numbers to PCI bridges, the kernel<br /> attempts to correct that during PCI device enumeration. If it runs out<br /> of bus numbers, no pci_bus is allocated and the "subordinate" pointer in<br /> the bridge&amp;#39;s pci_dev remains NULL.<br /> <br /> The PCIe bandwidth controller erroneously does not check for a NULL<br /> subordinate pointer and dereferences it on probe.<br /> <br /> Bandwidth control of unusable devices below the bridge is of questionable<br /> utility, so simply error out instead. This mirrors what PCIe hotplug does<br /> since commit 62e4492c3063 ("PCI: Prevent NULL dereference during pciehp<br /> probe").<br /> <br /> The PCI core emits a message with KERN_INFO severity if it has run out of<br /> bus numbers. PCIe hotplug emits an additional message with KERN_ERR<br /> severity to inform the user that hotplug functionality is disabled at the<br /> bridge. A similar message for bandwidth control does not seem merited,<br /> given that its only purpose so far is to expose an up-to-date link speed<br /> in sysfs and throttle the link speed on certain laptops with limited<br /> Thermal Design Power. So error out silently.<br /> <br /> User-visible messages:<br /> <br /> pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring<br /> [...]<br /> pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74<br /> pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them<br /> [...]<br /> pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring<br /> [...]<br /> BUG: kernel NULL pointer dereference<br /> RIP: pcie_update_link_speed<br /> pcie_bwnotif_enable<br /> pcie_bwnotif_probe<br /> pcie_port_probe_service<br /> really_probe