A critical race condition vulnerability, identified as CVE-2025-40219, has been discovered and resolved in the Linux kernel’s PCI/IOV (Input/Output Virtualization) Single Root I/O Virtualization (SR-IOV) implementation. This flaw could lead to double remove and list corruption, particularly affecting systems running on the s390 architecture.
Overview
CVE-2025-40219 stems from a lack of proper locking mechanisms during the enabling and disabling of SR-IOV virtual functions (VFs). Specifically, when disabling SR-IOV through config space accesses to the parent Physical Function (PF), the `sriov_disable()` function removes PCI devices representing the VFs. The absence of the `pci_rescan_remove_lock` during this process allows for concurrent removal and rescan operations, potentially leading to system instability and data corruption.
Technical Details
The vulnerability lies in the `sriov_disable()` and `sriov_add_vfs()` functions, which lack serialization against concurrent remove and rescan operations using the `pci_rescan_remove_lock`. This omission can trigger a race condition when the platform generates hot-unplug events for the VFs in addition to the removal by `sriov_disable()`. The event processing takes the `pci_rescan_remove_lock` and checks whether the struct `pci_dev` still exists, but lack of synchronization makes this checking racy.
On s390 systems, this can manifest as a double remove and list corruption, as demonstrated in the provided trace. The lack of locking allows for concurrent modification of the PCI device list, leading to inconsistencies and potential crashes.
CVSS Analysis
Due to the specific conditions and potential impact, a CVSS score is not readily available (N/A) at this time. However, the potential for system instability and data corruption warrants a high level of concern. A proper CVSS score will be determined based on the exploitability and impact.
Possible Impact
The primary impact of CVE-2025-40219 is potential system instability and data corruption. Specifically:
- Double Remove: Attempting to remove a PCI device twice can lead to kernel panics and system crashes.
- List Corruption: Concurrent modifications to the PCI device list can result in inconsistencies, leading to unpredictable behavior and potential data loss.
- System Instability: The race condition can trigger unexpected errors and crashes, disrupting normal system operation.
- Privilege Escalation (Possible): While not explicitly mentioned, memory corruption vulnerabilities can sometimes be leveraged for privilege escalation, but this is not confirmed.
Mitigation or Patch Steps
The vulnerability is addressed by adding the necessary locking mechanisms to `sriov_del_vfs()` and `sriov_add_vfs()`. The fix ensures that PCI device removal and addition operations are serialized using the `pci_rescan_remove_lock`, preventing the race condition.
To mitigate CVE-2025-40219, users should update their Linux kernel to a version containing the fix. These versions include (but may not be limited to) kernels containing the following commits:
- https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520
- https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd
- https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847
- https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd
- https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf
- https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8
- https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01
- https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c
Consult your Linux distribution’s security advisories for specific patched kernel versions.
