CVE-2025-39911

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path<br /> <br /> If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration<br /> later than the first, the error path wants to free the IRQs requested<br /> so far. However, it uses the wrong dev_id argument for free_irq(), so<br /> it does not free the IRQs correctly and instead triggers the warning:<br /> <br /> Trying to free already-free IRQ 173<br /> WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0<br /> Modules linked in: i40e(+) [...]<br /> CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)<br /> Hardware name: [...]<br /> RIP: 0010:__free_irq+0x192/0x2c0<br /> [...]<br /> Call Trace:<br /> <br /> free_irq+0x32/0x70<br /> i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]<br /> i40e_vsi_request_irq+0x79/0x80 [i40e]<br /> i40e_vsi_open+0x21f/0x2f0 [i40e]<br /> i40e_open+0x63/0x130 [i40e]<br /> __dev_open+0xfc/0x210<br /> __dev_change_flags+0x1fc/0x240<br /> netif_change_flags+0x27/0x70<br /> do_setlink.isra.0+0x341/0xc70<br /> rtnl_newlink+0x468/0x860<br /> rtnetlink_rcv_msg+0x375/0x450<br /> netlink_rcv_skb+0x5c/0x110<br /> netlink_unicast+0x288/0x3c0<br /> netlink_sendmsg+0x20d/0x430<br /> ____sys_sendmsg+0x3a2/0x3d0<br /> ___sys_sendmsg+0x99/0xe0<br /> __sys_sendmsg+0x8a/0xf0<br /> do_syscall_64+0x82/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [...]<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Use the same dev_id for free_irq() as for request_irq().<br /> <br /> I tested this with inserting code to fail intentionally.