CVE-2025-71313
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Add missing NULL check for alloc_workqueue()
alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later called with the NULL workqueue pointer in epf_ntb_epc_init().
Add a NULL check immediately after alloc_workqueue() and return -ENOMEM on failure to prevent the driver from loading with an invalid workqueue pointer.
Affected products
2Patches
4314eab6740bcPCI: endpoint: Add missing NULL check for alloc_workqueue()
2 files changed · +10 −1
drivers/pci/endpoint/functions/pci-epf-ntb.c+5 −0 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-ntb.c b/drivers/pci/endpoint/functions/pci-epf-ntb.c index 9ea8b57d69d79..a3a588e522e71 100644 --- a/drivers/pci/endpoint/functions/pci-epf-ntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c @@ -2126,6 +2126,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue);
drivers/pci/endpoint/functions/pci-epf-vntb.c+5 −1 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c index a098727f784bd..20a400e834392 100644 --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c @@ -1653,6 +1653,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue); -- cgit 1.3-korg
03f336a869b3PCI: endpoint: Add missing NULL check for alloc_workqueue()
2 files changed · +10 −1
drivers/pci/endpoint/functions/pci-epf-ntb.c+5 −0 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-ntb.c b/drivers/pci/endpoint/functions/pci-epf-ntb.c index 9ea8b57d69d79..a3a588e522e71 100644 --- a/drivers/pci/endpoint/functions/pci-epf-ntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c @@ -2126,6 +2126,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue);
drivers/pci/endpoint/functions/pci-epf-vntb.c+5 −1 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c index a098727f784bd..20a400e834392 100644 --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c @@ -1653,6 +1653,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue); -- cgit 1.3-korg
03f336a869b3PCI: endpoint: Add missing NULL check for alloc_workqueue()
2 files changed · +10 −1
drivers/pci/endpoint/functions/pci-epf-ntb.c+5 −0 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-ntb.c b/drivers/pci/endpoint/functions/pci-epf-ntb.c index 9ea8b57d69d79..a3a588e522e71 100644 --- a/drivers/pci/endpoint/functions/pci-epf-ntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c @@ -2126,6 +2126,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue);
drivers/pci/endpoint/functions/pci-epf-vntb.c+5 −1 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c index a098727f784bd..20a400e834392 100644 --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c @@ -1653,6 +1653,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue); -- cgit 1.3-korg
314eab6740bcPCI: endpoint: Add missing NULL check for alloc_workqueue()
2 files changed · +10 −1
drivers/pci/endpoint/functions/pci-epf-ntb.c+5 −0 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-ntb.c b/drivers/pci/endpoint/functions/pci-epf-ntb.c index 9ea8b57d69d79..a3a588e522e71 100644 --- a/drivers/pci/endpoint/functions/pci-epf-ntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c @@ -2126,6 +2126,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue);
drivers/pci/endpoint/functions/pci-epf-vntb.c+5 −1 modifieddiff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c index a098727f784bd..20a400e834392 100644 --- a/drivers/pci/endpoint/functions/pci-epf-vntb.c +++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c @@ -1653,6 +1653,11 @@ static int __init epf_ntb_init(void) kpcintb_workqueue = alloc_workqueue("kpcintb", WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU, 0); + if (!kpcintb_workqueue) { + pr_err("Failed to allocate kpcintb workqueue\n"); + return -ENOMEM; + } + ret = pci_epf_register_driver(&epf_ntb_driver); if (ret) { destroy_workqueue(kpcintb_workqueue); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The Linux kernel's PCI endpoint driver fails to check for NULL return values from alloc_workqueue(), leading to a NULL pointer dereference."
Attack vector
An attacker can trigger this vulnerability by causing a memory allocation failure during the initialization of the PCI endpoint driver. This failure would result in `alloc_workqueue()` returning NULL. Subsequently, when `queue_work()` is called with this NULL pointer in `epf_ntb_epc_init()`, a NULL pointer dereference occurs, potentially leading to a crash or denial of service.
Affected code
The vulnerability exists in the `epf_ntb_epc_init()` function within the `drivers/pci/endpoint/functions/pci-epf-vntb.c` and `drivers/pci/endpoint/functions/pci-epf-ntb.c` files. Specifically, the code path involves the call to `alloc_workqueue()` and its subsequent use without a NULL check.
What the fix does
The patch adds a check immediately after the call to `alloc_workqueue()`. If `alloc_workqueue()` returns NULL, indicating a memory allocation failure, the driver now prints an error message and returns -ENOMEM. This prevents the `kpcintb_workqueue` from being used as a NULL pointer in subsequent calls like `queue_work()`, thus avoiding the NULL pointer dereference.
Preconditions
- configThe PCI endpoint driver must be loaded and initialized.
- inputAn event or condition that causes `alloc_workqueue()` to fail, such as severe memory pressure.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026