CVE-2022-48842

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48842
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48842.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48842
Downstream
Related
Published
2024-07-16T12:25:12Z
Modified
2025-10-08T06:22:31.523085Z
Summary
ice: Fix race condition during interface enslave
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix race condition during interface enslave

Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device") changes a process of re-creation of aux device so iceplugauxdev() is called from iceservice_task() context. This unfortunately opens a race window that can result in dead-lock when interface has left LAG and immediately enters LAG again.

Reproducer:

#!/bin/sh

ip link add lag0 type bond mode 1 miimon 100
ip link set lag0

for n in {1..10}; do
        echo Cycle: $n
        ip link set ens7f0 master lag0
        sleep 1
        ip link set ens7f0 nomaster
done

This results in: [20976.208697] Workqueue: ice iceservicetask [ice] [20976.213422] Call Trace: [20976.215871] schedule+0x2d1/0x830 [20976.219364] schedule+0x35/0xa0 [20976.222510] schedulepreemptdisabled+0xa/0x10 [20976.227043] _mutexlock.isra.7+0x310/0x420 [20976.235071] enumallgidsofdevcb+0x1c/0x100 [ibcore] [20976.251215] ibenumrocenetdev+0xa4/0xe0 [ibcore] [20976.256192] ibcachesetupone+0x33/0xa0 [ibcore] [20976.261079] ibregisterdevice+0x40d/0x580 [ibcore] [20976.266139] irdmaibregisterdevice+0x129/0x250 [irdma] [20976.281409] irdmaprobe+0x2c1/0x360 [irdma] [20976.285691] auxiliarybusprobe+0x45/0x70 [20976.289790] reallyprobe+0x1f2/0x480 [20976.298509] driverprobedevice+0x49/0xc0 [20976.302609] busforeachdrv+0x79/0xc0 [20976.306448] _deviceattach+0xdc/0x160 [20976.310286] busprobedevice+0x9d/0xb0 [20976.314128] deviceadd+0x43c/0x890 [20976.321287] _auxiliarydeviceadd+0x43/0x60 [20976.325644] iceplugauxdev+0xb2/0x100 [ice] [20976.330109] iceservicetask+0xd0c/0xed0 [ice] [20976.342591] processonework+0x1a7/0x360 [20976.350536] workerthread+0x30/0x390 [20976.358128] kthread+0x10a/0x120 [20976.365547] retfromfork+0x1f/0x40 ... [20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084 [20976.446469] Call Trace: [20976.448921] _schedule+0x2d1/0x830 [20976.452414] schedule+0x35/0xa0 [20976.455559] schedulepreemptdisabled+0xa/0x10 [20976.460090] _mutexlock.isra.7+0x310/0x420 [20976.464364] devicedel+0x36/0x3c0 [20976.467772] iceunplugauxdev+0x1a/0x40 [ice] [20976.472313] icelageventhandler+0x2a2/0x520 [ice] [20976.477288] notifiercallchain+0x47/0x70 [20976.481386] _netdevupperdevlink+0x18b/0x280 [20976.489845] bondenslave+0xe05/0x1790 [bonding] [20976.494475] dosetlink+0x336/0xf50 [20976.502517] _rtnlnewlink+0x529/0x8b0 [20976.543441] rtnlnewlink+0x43/0x60 [20976.546934] rtnetlinkrcvmsg+0x2b1/0x360 [20976.559238] netlinkrcvskb+0x4c/0x120 [20976.563079] netlinkunicast+0x196/0x230 [20976.567005] netlinksendmsg+0x204/0x3d0 [20976.570930] socksendmsg+0x4c/0x50 [20976.574423] _syssendmsg+0x1eb/0x250 [20976.586807] _syssendmsg+0x7c/0xc0 [20976.606353] _syssendmsg+0x57/0xa0 [20976.609930] dosyscall64+0x5b/0x1a0 [20976.613598] entrySYSCALL64afterhwframe+0x65/0xca

  1. Command 'ip link ... set nomaster' causes that iceplugauxdev() is called from iceservice_task() context, aux device is created and associated device->lock is taken.
  2. Command 'ip link ... set master...' calls ice's notifier under RTNL lock and that notifier calls iceunplugauxdev(). That function tries to take aux device->lock but this is already taken by iceplugauxdev() in step 1
  3. Later iceplugaux_dev() tries to take RTNL lock but this is already taken in step 2
  4. Dead-lock

The patch fixes this issue by following changes: - Bit ICEFLAGPLUGAUXDEV is kept to be set during iceplugauxdev() call in iceservicetask() - The bit is checked in iceclearrdmacap() and only if it is not set then iceunplugauxdev() is called. If it is set (in other words plugging of aux device was requested and iceplugauxdev() is potentially running) then the function only clears the ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
41a8c548d47bcdbbd5e0fa40fbb7c95cc54bcb34
Fixed
a9bbacc53d1f5ed8febbfdf31401d20e005f49ef
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6d26421f742345acb6158780dd1e61f945615f06
Fixed
e1014fc5572375658fa421531cedb6e084f477dc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5dbbbd01cbba831233c6ea9a3e6bfa133606d3c0
Fixed
5cb1ebdbc4342b1c2ce89516e19808d64417bdbc

Affected versions

v5.*

v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "2990709093113261066300137212985831476",
                    "35598388250389379171599882571580865671",
                    "294197841112671212630661373148277530849",
                    "43067003831520355107218829033127697520",
                    "221654521069339854999284690932177500620"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a9bbacc53d1f5ed8febbfdf31401d20e005f49ef",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-025da737"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 170.0,
                "function_hash": "61912542363613660520468088519037656711"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cb1ebdbc4342b1c2ce89516e19808d64417bdbc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h",
                "function": "ice_clear_rdma_cap"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-0dc89c5c"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "99343599609059188698474512607789784276",
                    "18272183591393996086038910116327133124",
                    "172063107794865612988897347240788631574",
                    "7554304687141447066308588870891887251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1014fc5572375658fa421531cedb6e084f477dc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-133d834a"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 1333.0,
                "function_hash": "194630887703934994694908558048221505140"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cb1ebdbc4342b1c2ce89516e19808d64417bdbc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_service_task"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-3ce60950"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "99343599609059188698474512607789784276",
                    "18272183591393996086038910116327133124",
                    "172063107794865612988897347240788631574",
                    "7554304687141447066308588870891887251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a9bbacc53d1f5ed8febbfdf31401d20e005f49ef",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-3e5c8135"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 170.0,
                "function_hash": "61912542363613660520468088519037656711"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1014fc5572375658fa421531cedb6e084f477dc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h",
                "function": "ice_clear_rdma_cap"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-3f9664af"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 1333.0,
                "function_hash": "194630887703934994694908558048221505140"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a9bbacc53d1f5ed8febbfdf31401d20e005f49ef",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_service_task"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-46e2b3ed"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "2990709093113261066300137212985831476",
                    "35598388250389379171599882571580865671",
                    "294197841112671212630661373148277530849",
                    "43067003831520355107218829033127697520",
                    "221654521069339854999284690932177500620"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1014fc5572375658fa421531cedb6e084f477dc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-82348c56"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "2990709093113261066300137212985831476",
                    "35598388250389379171599882571580865671",
                    "294197841112671212630661373148277530849",
                    "43067003831520355107218829033127697520",
                    "221654521069339854999284690932177500620"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cb1ebdbc4342b1c2ce89516e19808d64417bdbc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-839cd9d5"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "99343599609059188698474512607789784276",
                    "18272183591393996086038910116327133124",
                    "172063107794865612988897347240788631574",
                    "7554304687141447066308588870891887251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cb1ebdbc4342b1c2ce89516e19808d64417bdbc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h"
            },
            "signature_type": "Line",
            "id": "CVE-2022-48842-8b13c229"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 170.0,
                "function_hash": "61912542363613660520468088519037656711"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a9bbacc53d1f5ed8febbfdf31401d20e005f49ef",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice.h",
                "function": "ice_clear_rdma_cap"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-c30d7eab"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 1333.0,
                "function_hash": "194630887703934994694908558048221505140"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1014fc5572375658fa421531cedb6e084f477dc",
            "deprecated": false,
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_service_task"
            },
            "signature_type": "Function",
            "id": "CVE-2022-48842-f01c9168"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.24
Fixed
5.15.30
Type
ECOSYSTEM
Events
Introduced
5.16.10
Fixed
5.16.16