CVE-2022-49063

In the Linux kernel, the following vulnerability has been resolved:

ice: arfs: fix use-after-free when freeing @rxcpurmap

The CI testing bots triggered the following splat:

[ 718.203054] BUG: KASAN: use-after-free in freeirqcpurmap+0x53/0x80 [ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Call Trace: [ 718.227139] [ 718.230783] dumpstacklvl+0x33/0x42 [ 718.234431] printaddressdescription.constprop.9+0x21/0x170 [ 718.238177] ? freeirqcpurmap+0x53/0x80 [ 718.241885] ? freeirqcpurmap+0x53/0x80 [ 718.245539] kasanreport.cold.18+0x7f/0x11b [ 718.249197] ? freeirqcpurmap+0x53/0x80 [ 718.252852] freeirqcpurmap+0x53/0x80 [ 718.256471] icefreecpurxrmap.part.11+0x37/0x50 [ice] [ 718.260174] iceremovearfs+0x5f/0x70 [ice] [ 718.263810] icerebuildarfs+0x3b/0x70 [ice] [ 718.267419] icerebuild+0x39c/0xb60 [ice] [ 718.270974] ? asmsysvecapictimerinterrupt+0x12/0x20 [ 718.274472] ? iceinitphyusercfg+0x360/0x360 [ice] [ 718.278033] ? delaytsc+0x4a/0xb0 [ 718.281513] ? preemptcountsub+0x14/0xc0 [ 718.284984] ? delaytsc+0x8f/0xb0 [ 718.288463] icedoreset+0x92/0xf0 [ice] [ 718.292014] icepcierrresume+0x91/0xf0 [ice] [ 718.295561] pcireset_function+0x53/0x80 <...> [ 718.393035] Allocated by task 690: [ 718.433497] Freed by task 20834: [ 718.495688] Last potentially related work creation: [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96 [ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] The buggy address belongs to the page: [ 718.598905] Memory state around the buggy address: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc

This is due to that freeirqcpurmap() is always being called after (devm)freeirq() and thus it tries to work with IRQ descs already freed. For example, on device reset the driver frees the rmap right before allocating a new one (the splat above). Make rmap creation and freeing function symmetrical with {request,free}irq() calls i.e. do that on ifup/ifdown instead of device probe/remove/resume. These operations can be performed independently from the actual device aRFS configuration. Also, make sure icevsifree_irq() clears IRQ affinity notifiers only when aRFS is disabled -- otherwise, CPU rmap sets and clears its own and they must not be touched manually.