In the Linux kernel, the following vulnerability has been resolved:
idpf: fix adapter NULL pointer dereference on reboot
With SRIOV enabled, idpf ends up calling into idpfremove() twice. First via idpfshutdown() and then again when idpfremove() calls into sriovdisable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference.
echo 1 > /sys/class/net/<netif>/device/sriov_numvfs reboot
BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpfremove+0x22/0x1f0 [idpf] ... ? idpfremove+0x22/0x1f0 [idpf] ? idpfremove+0x1e4/0x1f0 [idpf] pcideviceremove+0x3f/0xb0 devicereleasedriverinternal+0x19f/0x200 pcistopbusdevice+0x6d/0x90 pcistopandremovebusdevice+0x12/0x20 pciiovremovevirtfn+0xbe/0x120 sriovdisable+0x34/0xe0 idpfsriovconfigure+0x58/0x140 [idpf] idpfremove+0x1b9/0x1f0 [idpf] idpfshutdown+0x12/0x30 [idpf] pcideviceshutdown+0x35/0x60 device_shutdown+0x156/0x200 ...
Replace the direct idpfremove() call in idpfshutdown() with idpfvccoredeinit() and idpfdeinitdfltmbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown.