CVE-2022-48840

iavf: Fix hang during reboot/shutdown

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is
initialized in remove") adds a wait-loop at the beginning of
iavf_remove() to ensure that port initialization is finished
prior unregistering net device. This causes a regression
in reboot/shutdown scenario because in this case callback
iavf_shutdown() is called and this callback detaches the device,
makes it down if it is running and sets its state to __IAVF_REMOVE.
Later shutdown callback of associated PF driver (e.g. ice_shutdown)
is called. That callback calls among other things sriov_disable()
that calls indirectly iavf_remove() (see stack trace below).
As the adapter state is already __IAVF_REMOVE then the mentioned
loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning
of iavf_remove() and skips the rest of the function if the adapter
is already in remove state (shutdown is in progress). Reproducer:
1. Create VF on PF driven by ice or i40e driver
2. Ensure that the VF is bound to iavf driver
3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State
[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2
[52625.996732] Call Trace:
[52625.999187] __schedule+0x2d1/0x830
[52626.007400] schedule+0x35/0xa0
[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100
[52626.020046] usleep_range+0x5b/0x80
[52626.023540] iavf_remove+0x63/0x5b0 [iavf]
[52626.027645] pci_device_remove+0x3b/0xc0
[52626.031572] device_release_driver_internal+0x103/0x1f0
[52626.036805] pci_stop_bus_device+0x72/0xa0
[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20
[52626.045870] pci_iov_remove_virtfn+0xba/0x120
[52626.050232] sriov_disable+0x2f/0xe0
[52626.053813] ice_free_vfs+0x7c/0x340 [ice]
[52626.057946] ice_remove+0x220/0x240 [ice]
[52626.061967] ice_shutdown+0x16/0x50 [ice]
[52626.065987] pci_device_shutdown+0x34/0x60
[52626.070086] device_shutdown+0x165/0x1c5
[52626.074011] kernel_restart+0xe/0x30
[52626.077593] __do_sys_reboot+0x1d2/0x210
[52626.093815] do_syscall_64+0x5b/0x1a0
[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iavf: corrige el bloqueo durante el reinicio/apagado. El commit reciente 974578017fc1 ("iavf: agrega espera para que el puerto se inicialice en eliminar") agrega un bucle de espera al comienzo de iavf_remove() para garantizar que la inicialización del puerto finalice antes de cancelar el registro del dispositivo de red. Esto provoca una regresión en el escenario de reinicio/apagado porque en este caso se llama a la devolución de llamada iavf_shutdown() y esta devolución de llamada desconecta el dispositivo, lo desactiva si se está ejecutando y establece su estado en __IAVF_REMOVE. Posteriormente se llama a la devolución de llamada de apagado del controlador PF asociado (por ejemplo, ice_shutdown). Esa devolución de llamada llama, entre otras cosas, a sriov_disable() que llama indirectamente a iavf_remove() (consulte el seguimiento de la pila a continuación). Como el estado del adaptador ya es __IAVF_REMOVE, el bucle mencionado no tiene fin y el proceso de apagado se bloquea. El parche soluciona este problema verificando el estado del adaptador al comienzo de iavf_remove() y omite el resto de la función si el adaptador ya está en estado de eliminación (el apagado está en curso). Reproductor: 1. Cree VF en PF controlado por el controlador ice o i40e 2. Asegúrese de que el VF esté vinculado al controlador iavf 3. Reinicie [52625.981294] sysrq: SysRq: Mostrar estado bloqueado [52625.988377] tarea: estado de reinicio: pila D: 0 pid:17359 ppid: 1 f2 [52625.996732] Seguimiento de llamadas: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] Schedule+0x35/0xa0 [52626.010545] Schedule_hrtimeout_range_clock+0x83/0x100 2626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+ 0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626. 040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable +0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [hielo] [52626.057946] ice_remove+0x220/0x240 [hielo] [52626.061967] ice_shutdown+0x16/0x50 [52626.06598 7] pci_device_shutdown+0x34/0x60 [52626.070086] dispositivo_shutdown+ 0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entrada_SYSCALL_64_after_hwframe+0x65/0xca

In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-16 CVE Reserved
2024-07-16 CVE Published
2024-12-19 CVE Updated
2025-04-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/85aa76066fef64de8a48d0da6b4071ceac455a94	Vuln. Introduced
https://git.kernel.org/stable/c/7b9515172ab4d4c6ac0eae4b71013ee6ce932205	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813	2022-03-23
https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57	2022-03-23
https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5	2022-03-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.27 < 5.15.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.27 < 5.15.31"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16.13 < 5.16.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16.13 < 5.16.17"		en		Affected