NVD

CVE-2025-40219 Detail

Awaiting Analysis

This CVE record has been marked for NVD enrichment efforts.

Description

In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_del_vfs() and concurrent hot unplug by taking the PCI rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock was also taken in sriov_add_vfs() to protect addition of VFs. This approach however causes deadlock on trying to remove PFs with SR-IOV enabled because PFs disable SR-IOV during removal and this removal happens under the PCI rescan/remove lock. So the original fix had to be reverted. Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs hotplug higher up in the callchain by taking the lock in sriov_numvfs_store() before calling into the driver's sriov_configure() callback.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747	kernel.org
https://git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84	kernel.org
https://git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59	kernel.org
https://git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611	kernel.org
https://git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5	kernel.org
https://git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bc	kernel.org
https://git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b	kernel.org
https://git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36	kernel.org

Weakness Enumeration

CWE-ID	CWE Name	Source

Change History

2 change records found show changes

CVE Modified by kernel.org 4/03/2026 12:16:22 PM

Action	Type	Old Value	New Value
Changed	Description	Record truncated, showing 2048 of 2960 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_	In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_del_vfs() and concurrent hot unplug by taking the PCI rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock was also taken in sriov_add_vfs() to protect addition of VFs. This approach however causes deadlock on trying to remove PFs with SR-IOV enabled because PFs disable SR-IOV during removal and this removal happens under the PCI rescan/remove lock. So the original fix had to be reverted. Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs hotplug higher up in the callchain by taking the lock in sriov_numvfs_store() before calling into the driver's sriov_configure() callback.
Added	Reference		https://git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747
Added	Reference		https://git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84
Added	Reference		https://git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59
Added	Reference		https://git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611
Added	Reference		https://git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5
Added	Reference		https://git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bc
Added	Reference		https://git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b
Added	Reference		https://git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36
Removed	Reference	https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520
Removed	Reference	https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd
Removed	Reference	https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847
Removed	Reference	https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd
Removed	Reference	https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf
Removed	Reference	https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8
Removed	Reference	https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01
Removed	Reference	https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c

New CVE Received from kernel.org 12/04/2025 10:15:57 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 2960 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_
Added	Reference	https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520
Added	Reference	https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd
Added	Reference	https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847
Added	Reference	https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd
Added	Reference	https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf
Added	Reference	https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8
Added	Reference	https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01
Added	Reference	https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c

Quick Info

CVE Dictionary Entry:
CVE-2025-40219
NVD Published Date:
12/04/2025
NVD Last Modified:
04/03/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-40219 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Change History

CVE Modified by kernel.org 4/03/2026 12:16:22 PM

New CVE Received from kernel.org 12/04/2025 10:15:57 AM

Quick Info