| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-53064: iavf: fix hang on reboot with ice |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| iavf: fix hang on reboot with ice |
| |
| When a system with E810 with existing VFs gets rebooted the following |
| hang may be observed. |
| |
| Pid 1 is hung in iavf_remove(), part of a network driver: |
| PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: "systemd-shutdow" |
| #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb |
| #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d |
| #2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc |
| #3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930 |
| #4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf] |
| #5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513 |
| #6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa |
| #7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc |
| #8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e |
| #9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429 |
| #10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4 |
| #11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice] |
| #12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice] |
| #13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice] |
| #14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1 |
| #15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386 |
| #16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870 |
| #17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6 |
| #18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159 |
| #19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc |
| #20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d |
| #21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169 |
| #22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b |
| RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202 |
| RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7 |
| RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead |
| RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90 |
| R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005 |
| R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000 |
| ORIG_RAX: 00000000000000a9 CS: 0033 SS: 002b |
| |
| During reboot all drivers PM shutdown callbacks are invoked. |
| In iavf_shutdown() the adapter state is changed to __IAVF_REMOVE. |
| In ice_shutdown() the call chain above is executed, which at some point |
| calls iavf_remove(). However iavf_remove() expects the VF to be in one |
| of the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If |
| that's not the case it sleeps forever. |
| So if iavf_shutdown() gets invoked before iavf_remove() the system will |
| hang indefinitely because the adapter is already in state __IAVF_REMOVE. |
| |
| Fix this by returning from iavf_remove() if the state is __IAVF_REMOVE, |
| as we already went through iavf_shutdown(). |
| |
| The Linux kernel CVE team has assigned CVE-2023-53064 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.15.27 with commit 85aa76066fef64de8a48d0da6b4071ceac455a94 and fixed in 5.15.105 with commit 7a29799fc141ba9e6cf921fc8e958e3398ad1a4f |
| Issue introduced in 5.17 with commit 974578017fc1fdd06cea8afb9dfa32602e8529ed and fixed in 6.1.22 with commit 502b898235f06130750c91512c86dd0e9efe28e6 |
| Issue introduced in 5.17 with commit 974578017fc1fdd06cea8afb9dfa32602e8529ed and fixed in 6.2.9 with commit f752ace58867de3c063512b21e0f1694fc27f043 |
| Issue introduced in 5.17 with commit 974578017fc1fdd06cea8afb9dfa32602e8529ed and fixed in 6.3 with commit 4e264be98b88a6d6f476c11087fe865696e8bef5 |
| Issue introduced in 5.16.13 with commit 7b9515172ab4d4c6ac0eae4b71013ee6ce932205 |
| Issue introduced in 5.15.81 with commit ecff08f3c469bfb25609df789f4149b10feec91c |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-53064 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/ethernet/intel/iavf/iavf_main.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/7a29799fc141ba9e6cf921fc8e958e3398ad1a4f |
| https://git.kernel.org/stable/c/502b898235f06130750c91512c86dd0e9efe28e6 |
| https://git.kernel.org/stable/c/f752ace58867de3c063512b21e0f1694fc27f043 |
| https://git.kernel.org/stable/c/4e264be98b88a6d6f476c11087fe865696e8bef5 |
