{"id":"CVE-2025-22065","summary":"idpf: fix adapter NULL pointer dereference on reboot","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix adapter NULL pointer dereference on reboot\n\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\nsriov_disable(), because the VF devices use the idpf driver, hence the\nsame remove routine. When that happens, it is possible for the adapter\nto be NULL from the first call to idpf_remove(), leading to a NULL\npointer dereference.\n\necho 1 \u003e /sys/class/net/\u003cnetif\u003e/device/sriov_numvfs\nreboot\n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\n...\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\n...\n? idpf_remove+0x22/0x1f0 [idpf]\n? idpf_remove+0x1e4/0x1f0 [idpf]\npci_device_remove+0x3f/0xb0\ndevice_release_driver_internal+0x19f/0x200\npci_stop_bus_device+0x6d/0x90\npci_stop_and_remove_bus_device+0x12/0x20\npci_iov_remove_virtfn+0xbe/0x120\nsriov_disable+0x34/0xe0\nidpf_sriov_configure+0x58/0x140 [idpf]\nidpf_remove+0x1b9/0x1f0 [idpf]\nidpf_shutdown+0x12/0x30 [idpf]\npci_device_shutdown+0x35/0x60\ndevice_shutdown+0x156/0x200\n...\n\nReplace the direct idpf_remove() call in idpf_shutdown() with\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\ndestroying the vports and freeing the mailbox. This avoids the calls to\nsriov_disable() in addition to a small netdev cleanup, and destroying\nworkqueues, which don't seem to be required on shutdown.","modified":"2026-04-02T12:45:20.229555Z","published":"2025-04-16T14:12:19.492Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22065.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4c9106f4906a85f6b13542d862e423bcdc118cc3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79618e952ef4dfa1a17ee0631d5549603fab58d8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/88a6d562e92a295648f8636acf2a6aa714241771"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22065.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22065"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e850efed5e152e6bdd367d5b82019f21298c0653"},{"fixed":"79618e952ef4dfa1a17ee0631d5549603fab58d8"},{"fixed":"88a6d562e92a295648f8636acf2a6aa714241771"},{"fixed":"9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6"},{"fixed":"4c9106f4906a85f6b13542d862e423bcdc118cc3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22065.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}