In the Linux kernel, the following vulnerability has been resolved:
iavf: fix hang on reboot with ice
When a system with E810 with existing VFs gets rebooted the following hang may be observed.
Pid 1 is hung in iavfremove(), part of a network driver: PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: "systemd-shutdow" #0 [ffffaad04005fa50] _schedule at ffffffff8b3239cb #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d #2 [ffffaad04005fb00] schedulehrtimeoutrangeclock at ffffffff8b32cebc #3 [ffffaad04005fb80] usleeprangestate at ffffffff8b32c930 #4 [ffffaad04005fbb0] iavfremove at ffffffffc12b9b4c [iavf] #5 [ffffaad04005fbf0] pcideviceremove at ffffffff8add7513 #6 [ffffaad04005fc10] devicereleasedriverinternal at ffffffff8af08baa #7 [ffffaad04005fc40] pcistopbusdevice at ffffffff8adcc5fc #8 [ffffaad04005fc60] pcistopandremovebusdevice at ffffffff8adcc81e #9 [ffffaad04005fc70] pciiovremovevirtfn at ffffffff8adf9429 #10 [ffffaad04005fca8] sriovdisable at ffffffff8adf98e4 #11 [ffffaad04005fcc8] icefreevfs at ffffffffc04bb2c8 [ice] #12 [ffffaad04005fd10] iceremove at ffffffffc04778fe [ice] #13 [ffffaad04005fd38] iceshutdown at ffffffffc0477946 [ice] #14 [ffffaad04005fd50] pcideviceshutdown at ffffffff8add58f1 #15 [ffffaad04005fd70] deviceshutdown at ffffffff8af05386 #16 [ffffaad04005fd98] kernelrestart at ffffffff8a92a870 #17 [ffffaad04005fda8] _dosysreboot at ffffffff8a92abd6 #18 [ffffaad04005fee0] dosyscall64 at ffffffff8b317159 #19 [ffffaad04005ff08] _contexttrackingenter at ffffffff8b31b6fc #20 [ffffaad04005ff18] syscallexittousermode at ffffffff8b31b50d #21 [ffffaad04005ff28] dosyscall64 at ffffffff8b317169 #22 [ffffaad04005ff50] entrySYSCALL64afterhwframe at ffffffff8b40009b RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7 RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90 R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005 R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000 ORIGRAX: 00000000000000a9 CS: 0033 SS: 002b
During reboot all drivers PM shutdown callbacks are invoked. In iavfshutdown() the adapter state is changed to _IAVFREMOVE. In iceshutdown() the call chain above is executed, which at some point calls iavfremove(). However iavfremove() expects the VF to be in one of the states _IAVFRUNNING, _IAVFDOWN or _IAVFINITFAILED. If that's not the case it sleeps forever. So if iavfshutdown() gets invoked before iavfremove() the system will hang indefinitely because the adapter is already in state _IAVF_REMOVE.
Fix this by returning from iavfremove() if the state is _IAVFREMOVE, as we already went through iavfshutdown().
{ "vanir_signatures": [ { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-1b41c9eb", "digest": { "length": 2865.0, "function_hash": "271930362470908531350425559640027343510" }, "target": { "function": "iavf_remove", "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f752ace58867de3c063512b21e0f1694fc27f043" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-298a7347", "digest": { "threshold": 0.9, "line_hashes": [ "200003490695781147513708114220678234065", "142451805671380650930626626469866326614", "24335390975661489680167024978098226045", "175907784420016253627397876501113174111" ] }, "target": { "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f752ace58867de3c063512b21e0f1694fc27f043" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-31fd3813", "digest": { "length": 2844.0, "function_hash": "29013499237389949145995501353107008590" }, "target": { "function": "iavf_remove", "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4e264be98b88a6d6f476c11087fe865696e8bef5" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-5de37cb8", "digest": { "length": 2838.0, "function_hash": "130285462068393114627201600767090617737" }, "target": { "function": "iavf_remove", "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7a29799fc141ba9e6cf921fc8e958e3398ad1a4f" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-9a953ba0", "digest": { "threshold": 0.9, "line_hashes": [ "200003490695781147513708114220678234065", "142451805671380650930626626469866326614", "24335390975661489680167024978098226045", "175907784420016253627397876501113174111" ] }, "target": { "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7a29799fc141ba9e6cf921fc8e958e3398ad1a4f" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-be91d4b3", "digest": { "threshold": 0.9, "line_hashes": [ "200003490695781147513708114220678234065", "142451805671380650930626626469866326614", "24335390975661489680167024978098226045", "175907784420016253627397876501113174111" ] }, "target": { "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4e264be98b88a6d6f476c11087fe865696e8bef5" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-beba015e", "digest": { "threshold": 0.9, "line_hashes": [ "200003490695781147513708114220678234065", "142451805671380650930626626469866326614", "24335390975661489680167024978098226045", "175907784420016253627397876501113174111" ] }, "target": { "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@502b898235f06130750c91512c86dd0e9efe28e6" }, { "signature_version": "v1", "deprecated": false, "id": "CVE-2023-53064-c459e9e2", "digest": { "length": 2863.0, "function_hash": "240667796873590479506365673737430015944" }, "target": { "function": "iavf_remove", "file": "drivers/net/ethernet/intel/iavf/iavf_main.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@502b898235f06130750c91512c86dd0e9efe28e6" } ] }