CVE-2022-48840

MEDIUM EPSS 14.4%
Published Jul 16, 20241y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jul 16, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-835

Affected Products 2

VendorProductVersionRange
linuxlinux_kernel*≥5.15.27  –  <5.15.31
linuxlinux_kernel*≥5.16.13  –  <5.16.17

References 3

  • git.kernel.org https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5
    Mailing ListPatch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5
    Mailing ListPatch