CVE-2022-48840

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48840
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48840.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48840
Related
Published
2024-07-16T13:15:11Z
Modified
2024-09-11T02:00:04Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

iavf: Fix hang during reboot/shutdown

Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavfremove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavfshutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to _IAVFREMOVE. Later shutdown callback of associated PF driver (e.g. iceshutdown) is called. That callback calls among other things sriovdisable() that calls indirectly iavfremove() (see stack trace below). As the adapter state is already _IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs.

The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress).

Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot

[52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] _schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedulehrtimeoutrangeclock+0x83/0x100 [52626.020046] usleeprange+0x5b/0x80 [52626.023540] iavfremove+0x63/0x5b0 [iavf] [52626.027645] pcideviceremove+0x3b/0xc0 [52626.031572] devicereleasedriverinternal+0x103/0x1f0 [52626.036805] pcistopbusdevice+0x72/0xa0 [52626.040904] pcistopandremovebusdevice+0xe/0x20 [52626.045870] pciiovremovevirtfn+0xba/0x120 [52626.050232] sriovdisable+0x2f/0xe0 [52626.053813] icefreevfs+0x7c/0x340 [ice] [52626.057946] iceremove+0x220/0x240 [ice] [52626.061967] iceshutdown+0x16/0x50 [ice] [52626.065987] pcideviceshutdown+0x34/0x60 [52626.070086] deviceshutdown+0x165/0x1c5 [52626.074011] kernelrestart+0xe/0x30 [52626.077593] _dosysreboot+0x1d2/0x210 [52626.093815] dosyscall64+0x5b/0x1a0 [52626.097483] entrySYSCALL64afterhwframe+0x65/0xca

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}