In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix NULL dereference in SR-IOV VF creation error path
Clean up when virtfn setup fails to prevent NULL pointer dereference during device removal. The kernel oops below occurred due to incorrect error handling flow when pcisetupdevice() fails.
Add pciiovscandevice(), which handles virtfn allocation and setup and cleans up if pcisetupdevice() fails, so pciiovaddvirtfn() doesn't need to call pcistopandremovebus_device(). This prevents accessing partially initialized virtfn devices during removal.
BUG: kernel NULL pointer dereference, address: 00000000000000d0 RIP: 0010:devicedel+0x3d/0x3d0 Call Trace: pciremovebusdevice+0x7c/0x100 pciiovaddvirtfn+0xfa/0x200 sriovenable+0x208/0x420 mlx5coresriovconfigure+0x6a/0x160 [mlx5core] sriovnumvfsstore+0xae/0x1a0
[bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly]