CVE-2025-21802: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's HNS3 (Hisilicon Network Subsystem v3) driver has been identified as CVE-2025-21802. The issue occurs when unloading the hclge driver, which attempts to disable SRIOV (Single Root I/O Virtualization) for each aedev node from hnae3aedevlist. If a user unloads the hns3 driver simultaneously, it can cause a system crash (oops) due to the removal of all ae_dev nodes (Debian Tracker, NVD).

The vulnerability stems from a race condition in the driver unload process. The issue arises because using the existing hnae3commonlock is not sufficient to prevent the race condition, as the pcidisablesriov() process flow triggers the removal flow of VF (Virtual Function), which also requires the hnae3commonlock. To address this, a new mutex (hnae3unloadlock) was introduced to protect the unload process (Kernel Commit).

When exploited, this vulnerability can cause a kernel oops (system crash) during the parallel unloading of drivers, potentially leading to system instability and denial of service conditions (NVD).

The issue has been fixed in Linux kernel version 6.14-rc1 through the introduction of a new mutex (hnae3unloadlock) to protect the unload process. The fix has been backported to various stable kernel versions. For Debian systems, the fix is available in version 6.1.129-1 for bookworm and 6.12.17-1 for sid/trixie releases (Debian Tracker).