CVE-2025-39911

Summary

In the Linux kernel, the following vulnerability has been resolved:

i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path

If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning:

Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0 Modules linked in: i40e(+) […] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: […] RIP: 0010:__free_irq+0x192/0x2c0 […] Call Trace: <TASK> free_irq+0x32/0x70 i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e] i40e_vsi_request_irq+0x79/0x80 [i40e] i40e_vsi_open+0x21f/0x2f0 [i40e] i40e_open+0x63/0x130 [i40e] __dev_open+0xfc/0x210 __dev_change_flags+0x1fc/0x240 netif_change_flags+0x27/0x70 do_setlink.isra.0+0x341/0xc70 rtnl_newlink+0x468/0x860 rtnetlink_rcv_msg+0x375/0x450 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x288/0x3c0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x3a2/0x3d0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x82/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e […] </TASK> —[ end trace 0000000000000000 ]—

Use the same dev_id for free_irq() as for request_irq().

I tested this with inserting code to fail intentionally.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < 13ab9adef3cd386511c930a9660ae06595007f89affected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < 6e4016c0dca53afc71e3b99e24252b63417395dfaffected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < b9721a023df38cf44a88f2739b4cf51efd051f85affected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < b905b2acb3a0bbb08ad9be9984d8cdabdf827315affected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < 23431998a37764c464737b855c71a81d50992e98affected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < a30afd6617c30aaa338d1dbcb1e34e7a1890085caffected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < c62580674ce5feb1be4f90b5873ff3ce50e0a1dbaffected
LinuxLinux493fb30011b3ab5173cef96f1d1ce126da051792 < 915470e1b44e71d1dd07ee067276f003c3521ee3affected
LinuxLinux3.13affected
LinuxLinux0 < 3.13unaffected
LinuxLinux5.4.300 <= 5.4.*unaffected
LinuxLinux5.10.245 <= 5.10.*unaffected
LinuxLinux5.15.194 <= 5.15.*unaffected
LinuxLinux6.1.153 <= 6.1.*unaffected
LinuxLinux6.6.107 <= 6.6.*unaffected
LinuxLinux6.12.48 <= 6.12.*unaffected
LinuxLinux6.16.8 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References