CVE-2025-22092 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix NULL dereference in SR-IOV VF creation error path
Clean up when virtfn setup fails to prevent NULL pointer dereference during device removal. The kernel oops below occurred due to incorrect error handling flow when pci_setup_device() fails.
Add pci_iov_scan_device(), which handles virtfn allocation and setup and cleans up if pci_setup_device() fails, so pci_iov_add_virtfn() doesn't need to call pci_stop_and_remove_bus_device(). This prevents accessing partially initialized virtfn devices during removal.
BUG: kernel NULL pointer dereference, address: 00000000000000d0 RIP: 0010:device_del+0x3d/0x3d0 Call Trace: pci_remove_bus_device+0x7c/0x100 pci_iov_add_virtfn+0xfa/0x200 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x6a/0x160 [mlx5_core]
sriov_numvfs_store+0xae/0x1a0
[bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/15/2026
This vulnerability exists within the Linux kernel's PCI subsystem specifically affecting SR-IOV virtual function (VF) creation processes. The issue manifests as a NULL pointer dereference that occurs during the error handling path when setting up virtual functions for PCI devices. The flaw arises from improper cleanup procedures when the pci_setup_device() function fails during the virtual function initialization process, creating a scenario where partially constructed device structures remain in memory and can be accessed during subsequent removal operations.
The technical implementation of this vulnerability stems from the incorrect error handling flow in the SR-IOV virtual function creation mechanism. When pci_setup_device() encounters an error during virtfn allocation, the existing code does not properly clean up the partially initialized device structures before returning control to the calling function. This results in device structures that contain NULL pointers or invalid references, which are subsequently accessed during device removal operations. The kernel oops trace demonstrates this failure path through the device_del function, which attempts to access a device structure at memory address 0x00000000000000d0, indicating a corrupted or improperly initialized device object.
The operational impact of this vulnerability is significant for systems utilizing SR-IOV capabilities, particularly in high-performance computing environments, data center virtualization platforms, and network infrastructure devices. Attackers could potentially exploit this condition to cause system crashes or denial of service scenarios, especially when SR-IOV configuration is frequently modified or when devices are dynamically added and removed from the system. The vulnerability affects any system running Linux kernels with SR-IOV support where virtual function creation fails during device setup, making it particularly dangerous in production environments where reliability and uptime are critical.
The fix implemented addresses this issue by introducing a dedicated pci_iov_scan_device() function that properly manages the virtfn allocation and setup process. This new function ensures that if pci_setup_device() fails, all partially allocated resources are correctly cleaned up before returning control to the calling function. The solution eliminates the need for pci_iov_add_virtfn() to call pci_stop_and_remove_bus_device() directly, which was previously causing access to partially initialized device structures during removal. This approach follows established security patterns for proper resource management and error handling, preventing the NULL pointer dereference that would otherwise occur during device cleanup operations.
This vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and represents a classic example of improper error handling in kernel space code. The fix demonstrates adherence to proper defensive programming practices by ensuring resource cleanup occurs regardless of execution path outcomes. From an ATT&CK perspective, this vulnerability could be leveraged in a denial of service attack (T1499) where an attacker might repeatedly trigger SR-IOV configuration changes to cause system instability. The mitigation strategy focuses on proper resource lifecycle management, which is consistent with security best practices outlined in various kernel security guidelines and represents a fundamental improvement to the kernel's robustness in handling error conditions during device initialization processes.