Home

Description

In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning: Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0 Modules linked in: i40e(+) [...] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:__free_irq+0x192/0x2c0 [...] Call Trace: <TASK> free_irq+0x32/0x70 i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e] i40e_vsi_request_irq+0x79/0x80 [i40e] i40e_vsi_open+0x21f/0x2f0 [i40e] i40e_open+0x63/0x130 [i40e] __dev_open+0xfc/0x210 __dev_change_flags+0x1fc/0x240 netif_change_flags+0x27/0x70 do_setlink.isra.0+0x341/0xc70 rtnl_newlink+0x468/0x860 rtnetlink_rcv_msg+0x375/0x450 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x288/0x3c0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x3a2/0x3d0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x82/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- Use the same dev_id for free_irq() as for request_irq(). I tested this with inserting code to fail intentionally.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-01 | Updated 2025-10-01 | Assigner Linux

Product status

Default status
unaffected

493fb30011b3ab5173cef96f1d1ce126da051792 before b905b2acb3a0bbb08ad9be9984d8cdabdf827315
affected

493fb30011b3ab5173cef96f1d1ce126da051792 before 23431998a37764c464737b855c71a81d50992e98
affected

493fb30011b3ab5173cef96f1d1ce126da051792 before a30afd6617c30aaa338d1dbcb1e34e7a1890085c
affected

493fb30011b3ab5173cef96f1d1ce126da051792 before c62580674ce5feb1be4f90b5873ff3ce50e0a1db
affected

493fb30011b3ab5173cef96f1d1ce126da051792 before 915470e1b44e71d1dd07ee067276f003c3521ee3
affected

Default status
affected

3.13
affected

Any version before 3.13
unaffected

6.1.153
unaffected

6.6.107
unaffected

6.12.48
unaffected

6.16.8
unaffected

6.17
unaffected

References

git.kernel.org/...c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315

git.kernel.org/...c/23431998a37764c464737b855c71a81d50992e98

git.kernel.org/...c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c

git.kernel.org/...c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db

git.kernel.org/...c/915470e1b44e71d1dd07ee067276f003c3521ee3

cve.org (CVE-2025-39911)

nvd.nist.gov (CVE-2025-39911)

Download JSON