CVE-2025-22065

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix adapter NULL pointer dereference on reboot<br /> <br /> With SRIOV enabled, idpf ends up calling into idpf_remove() twice.<br /> First via idpf_shutdown() and then again when idpf_remove() calls into<br /> sriov_disable(), because the VF devices use the idpf driver, hence the<br /> same remove routine. When that happens, it is possible for the adapter<br /> to be NULL from the first call to idpf_remove(), leading to a NULL<br /> pointer dereference.<br /> <br /> echo 1 &gt; /sys/class/net//device/sriov_numvfs<br /> reboot<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000020<br /> ...<br /> RIP: 0010:idpf_remove+0x22/0x1f0 [idpf]<br /> ...<br /> ? idpf_remove+0x22/0x1f0 [idpf]<br /> ? idpf_remove+0x1e4/0x1f0 [idpf]<br /> pci_device_remove+0x3f/0xb0<br /> device_release_driver_internal+0x19f/0x200<br /> pci_stop_bus_device+0x6d/0x90<br /> pci_stop_and_remove_bus_device+0x12/0x20<br /> pci_iov_remove_virtfn+0xbe/0x120<br /> sriov_disable+0x34/0xe0<br /> idpf_sriov_configure+0x58/0x140 [idpf]<br /> idpf_remove+0x1b9/0x1f0 [idpf]<br /> idpf_shutdown+0x12/0x30 [idpf]<br /> pci_device_shutdown+0x35/0x60<br /> device_shutdown+0x156/0x200<br /> ...<br /> <br /> Replace the direct idpf_remove() call in idpf_shutdown() with<br /> idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform<br /> the bulk of the cleanup, such as stopping the init task, freeing IRQs,<br /> destroying the vports and freeing the mailbox. This avoids the calls to<br /> sriov_disable() in addition to a small netdev cleanup, and destroying<br /> workqueues, which don&amp;#39;t seem to be required on shutdown.