Bug 2395794 (CVE-2025-39814) - CVE-2025-39814 kernel: ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset
Summary: CVE-2025-39814 kernel: ice: fix NULL pointer dereference in ice_unplug_aux_de...
Keywords:
Status: NEW
Alias: CVE-2025-39814
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-16 14:02 UTC by OSIDB Bzimport
Modified: 2025-09-16 16:01 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-16 14:02:55 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset

Issuing a reset when the driver is loaded without RDMA support, will
results in a crash as it attempts to remove RDMA's non-existent auxbus
device:
echo 1 > /sys/class/net/<if>/device/reset

BUG: kernel NULL pointer dereference, address: 0000000000000008
...
RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]
...
Call Trace:
<TASK>
ice_prepare_for_reset+0x77/0x260 [ice]
pci_dev_save_and_disable+0x2c/0x70
pci_reset_function+0x88/0x130
reset_store+0x5a/0xa0
kernfs_fop_write_iter+0x15e/0x210
vfs_write+0x273/0x520
ksys_write+0x6b/0xe0
do_syscall_64+0x79/0x3b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

ice_unplug_aux_dev() checks pf->cdev_info->adev for NULL pointer, but
pf->cdev_info will also be NULL, leading to the deref in the trace above.

Introduce a flag to be set when the creation of the auxbus device is
successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().
Comment 1 Keith Grant 2025-09-16 15:59:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39814-1765@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.