DEBIAN-CVE-2025-40034

In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Avoid NULL pointer dereference in aerratelimit() When platform firmware supplies error information to the OS, e.g., via the ACPI APEI GHES mechanism, it may identify an error source device that doesn't advertise an AER Capability and therefore dev->aerinfo, which contains AER stats and ratelimiting data, is NULL. pcidevaerstatsincr() already checks dev->aerinfo for NULL, but aerratelimit() did not, leading to NULL pointer dereferences like this one from the URL below: {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0 {1}[Hardware Error]: event severity: corrected {1}[Hardware Error]: deviceid: 0000:00:00.0 {1}[Hardware Error]: vendorid: 0x8086, deviceid: 0x2020 {1}[Hardware Error]: aercorstatus: 0x00001000, aercormask: 0x00002000 BUG: kernel NULL pointer dereference, address: 0000000000000264 RIP: 0010:_ratelimit+0xc/0x1b0 pciprintaer+0x141/0x360 aerrecoverworkfunc+0xb5/0x130 [8086:2020] is an Intel "Sky Lake-E DMI3 Registers" device that claims to be a Root Port but does not advertise an AER Capability. Add a NULL check in aer_ratelimit() to avoid the NULL pointer dereference. Note that this also prevents ratelimiting these events from GHES. [bhelgaas: add crash details to commit log]