| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100110-CVE-2025-39911-5646@gregkh> Date: Wed, 1 Oct 2025 09:47:16 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39911: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning: Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0 Modules linked in: i40e(+) [...] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:__free_irq+0x192/0x2c0 [...] Call Trace: <TASK> free_irq+0x32/0x70 i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e] i40e_vsi_request_irq+0x79/0x80 [i40e] i40e_vsi_open+0x21f/0x2f0 [i40e] i40e_open+0x63/0x130 [i40e] __dev_open+0xfc/0x210 __dev_change_flags+0x1fc/0x240 netif_change_flags+0x27/0x70 do_setlink.isra.0+0x341/0xc70 rtnl_newlink+0x468/0x860 rtnetlink_rcv_msg+0x375/0x450 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x288/0x3c0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x3a2/0x3d0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x82/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- Use the same dev_id for free_irq() as for request_irq(). I tested this with inserting code to fail intentionally. The Linux kernel CVE team has assigned CVE-2025-39911 to this issue. Affected and fixed versions =========================== Issue introduced in 3.13 with commit 493fb30011b3ab5173cef96f1d1ce126da051792 and fixed in 6.1.153 with commit b905b2acb3a0bbb08ad9be9984d8cdabdf827315 Issue introduced in 3.13 with commit 493fb30011b3ab5173cef96f1d1ce126da051792 and fixed in 6.6.107 with commit 23431998a37764c464737b855c71a81d50992e98 Issue introduced in 3.13 with commit 493fb30011b3ab5173cef96f1d1ce126da051792 and fixed in 6.12.48 with commit a30afd6617c30aaa338d1dbcb1e34e7a1890085c Issue introduced in 3.13 with commit 493fb30011b3ab5173cef96f1d1ce126da051792 and fixed in 6.16.8 with commit c62580674ce5feb1be4f90b5873ff3ce50e0a1db Issue introduced in 3.13 with commit 493fb30011b3ab5173cef96f1d1ce126da051792 and fixed in 6.17 with commit 915470e1b44e71d1dd07ee067276f003c3521ee3 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39911 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/intel/i40e/i40e_main.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315 https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98 https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3
Powered by blists - more mailing lists