{"id":"CVE-2025-39871","summary":"dmaengine: idxd: Remove improper idxd_free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n  idxd_remove+0xe4/0x120 [idxd]\n  pci_device_remove+0x3f/0xb0\n  device_release_driver_internal+0x197/0x200\n  driver_detach+0x48/0x90\n  bus_remove_driver+0x74/0xf0\n  pci_unregister_driver+0x2e/0xb0\n  idxd_exit_module+0x34/0x7a0 [idxd]\n  __do_sys_delete_module.constprop.0+0x183/0x280\n  do_syscall_64+0x54/0xd70\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -\u003e device_unregister() -\u003e put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload.","modified":"2026-04-16T00:01:34.661089866Z","published":"2025-09-23T06:00:44.882Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39871.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/24414bbcb37e1af95190af36c21ae51d497e1a9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da4fbc1488a4cec6748da685181ee4449a878dac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd7a7e43269711d757fc260b0bbdf7138f75de11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f41c538881eec4dcf5961a242097d447f848cda6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39871.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39871"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"68ac5a01f635b3791196fd1c39bc48497252c36f"},{"fixed":"24414bbcb37e1af95190af36c21ae51d497e1a9e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d2d05fd0fc95c4defed6f7b87550e20e8baa1d97"},{"fixed":"0e95ee7f532b21206fe3f1c4054002b0d21e3b9c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"21f9f5cd9a0c75084d4369ba0b8c4f695c41dea7"},{"fixed":"dd7a7e43269711d757fc260b0bbdf7138f75de11"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d5449ff1b04dfe9ed8e455769aa01e4c2ccf6805"},{"fixed":"da4fbc1488a4cec6748da685181ee4449a878dac"},{"fixed":"f41c538881eec4dcf5961a242097d447f848cda6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"2b7a961cea0e5b65afda911f76d14fec5c98d024"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39871.json"}}],"schema_version":"1.7.5"}