CVE-2022-48941 (GCVE-0-2022-48941)

Vulnerability from cvelistv5 – Published: 2024-08-22 03:31 – Updated: 2025-06-19 12:39
VLAI?
Title
ice: fix concurrent reset and removal of VFs
Summary
In the Linux kernel, the following vulnerability has been resolved: ice: fix concurrent reset and removal of VFs Commit c503e63200c6 ("ice: Stop processing VF messages during teardown") introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is intended to prevent some issues with concurrently handling messages from VFs while tearing down the VFs. This change was motivated by crashes caused while tearing down and bringing up VFs in rapid succession. It turns out that the fix actually introduces issues with the VF driver caused because the PF no longer responds to any messages sent by the VF during its .remove routine. This results in the VF potentially removing its DMA memory before the PF has shut down the device queues. Additionally, the fix doesn't actually resolve concurrency issues within the ice driver. It is possible for a VF to initiate a reset just prior to the ice driver removing VFs. This can result in the remove task concurrently operating while the VF is being reset. This results in similar memory corruption and panics purportedly fixed by that commit. Fix this concurrency at its root by protecting both the reset and removal flows using the existing VF cfg_lock. This ensures that we cannot remove the VF while any outstanding critical tasks such as a virtchnl message or a reset are occurring. This locking change also fixes the root cause originally fixed by commit c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we can simply revert it. Note that I kept these two changes together because simply reverting the original commit alone would leave the driver vulnerable to worse race conditions.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: c503e63200c679e362afca7aca9d3dc63a0f45ed , < 3c805fce07c9dbc47d8a9129c7c5458025951957 (git)
Affected: c503e63200c679e362afca7aca9d3dc63a0f45ed , < 2a3e61de89bab6696aa28b70030eb119968c5586 (git)
Affected: c503e63200c679e362afca7aca9d3dc63a0f45ed , < fadead80fe4c033b5e514fcbadd20b55c4494112 (git)
Affected: 8a08142433624fd1088bc8c13639408cf4e1707c (git)
Create a notification for this product.
    Linux Linux Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.26 , ≤ 5.15.* (semver)
Unaffected: 5.16.12 , ≤ 5.16.* (semver)
Unaffected: 5.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48941",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:32:17.899011Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:32:59.101Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice.h",
            "drivers/net/ethernet/intel/ice/ice_main.c",
            "drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c805fce07c9dbc47d8a9129c7c5458025951957",
              "status": "affected",
              "version": "c503e63200c679e362afca7aca9d3dc63a0f45ed",
              "versionType": "git"
            },
            {
              "lessThan": "2a3e61de89bab6696aa28b70030eb119968c5586",
              "status": "affected",
              "version": "c503e63200c679e362afca7aca9d3dc63a0f45ed",
              "versionType": "git"
            },
            {
              "lessThan": "fadead80fe4c033b5e514fcbadd20b55c4494112",
              "status": "affected",
              "version": "c503e63200c679e362afca7aca9d3dc63a0f45ed",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8a08142433624fd1088bc8c13639408cf4e1707c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice.h",
            "drivers/net/ethernet/intel/ice/ice_main.c",
            "drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.26",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.12",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix concurrent reset and removal of VFs\n\nCommit c503e63200c6 (\"ice: Stop processing VF messages during teardown\")\nintroduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is\nintended to prevent some issues with concurrently handling messages from\nVFs while tearing down the VFs.\n\nThis change was motivated by crashes caused while tearing down and\nbringing up VFs in rapid succession.\n\nIt turns out that the fix actually introduces issues with the VF driver\ncaused because the PF no longer responds to any messages sent by the VF\nduring its .remove routine. This results in the VF potentially removing\nits DMA memory before the PF has shut down the device queues.\n\nAdditionally, the fix doesn\u0027t actually resolve concurrency issues within\nthe ice driver. It is possible for a VF to initiate a reset just prior\nto the ice driver removing VFs. This can result in the remove task\nconcurrently operating while the VF is being reset. This results in\nsimilar memory corruption and panics purportedly fixed by that commit.\n\nFix this concurrency at its root by protecting both the reset and\nremoval flows using the existing VF cfg_lock. This ensures that we\ncannot remove the VF while any outstanding critical tasks such as a\nvirtchnl message or a reset are occurring.\n\nThis locking change also fixes the root cause originally fixed by commit\nc503e63200c6 (\"ice: Stop processing VF messages during teardown\"), so we\ncan simply revert it.\n\nNote that I kept these two changes together because simply reverting the\noriginal commit alone would leave the driver vulnerable to worse race\nconditions."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:39:05.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c805fce07c9dbc47d8a9129c7c5458025951957"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a3e61de89bab6696aa28b70030eb119968c5586"
        },
        {
          "url": "https://git.kernel.org/stable/c/fadead80fe4c033b5e514fcbadd20b55c4494112"
        }
      ],
      "title": "ice: fix concurrent reset and removal of VFs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48941",
    "datePublished": "2024-08-22T03:31:37.120Z",
    "dateReserved": "2024-08-22T01:27:53.623Z",
    "dateUpdated": "2025-06-19T12:39:05.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48941\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:32:17.899011Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:12.587Z\"}}], \"cna\": {\"title\": \"ice: fix concurrent reset and removal of VFs\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"c503e63200c679e362afca7aca9d3dc63a0f45ed\", \"lessThan\": \"3c805fce07c9dbc47d8a9129c7c5458025951957\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c503e63200c679e362afca7aca9d3dc63a0f45ed\", \"lessThan\": \"2a3e61de89bab6696aa28b70030eb119968c5586\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"c503e63200c679e362afca7aca9d3dc63a0f45ed\", \"lessThan\": \"fadead80fe4c033b5e514fcbadd20b55c4494112\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8a08142433624fd1088bc8c13639408cf4e1707c\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/intel/ice/ice.h\", \"drivers/net/ethernet/intel/ice/ice_main.c\", \"drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.14\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.14\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.26\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.12\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/intel/ice/ice.h\", \"drivers/net/ethernet/intel/ice/ice_main.c\", \"drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/3c805fce07c9dbc47d8a9129c7c5458025951957\"}, {\"url\": \"https://git.kernel.org/stable/c/2a3e61de89bab6696aa28b70030eb119968c5586\"}, {\"url\": \"https://git.kernel.org/stable/c/fadead80fe4c033b5e514fcbadd20b55c4494112\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: fix concurrent reset and removal of VFs\\n\\nCommit c503e63200c6 (\\\"ice: Stop processing VF messages during teardown\\\")\\nintroduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is\\nintended to prevent some issues with concurrently handling messages from\\nVFs while tearing down the VFs.\\n\\nThis change was motivated by crashes caused while tearing down and\\nbringing up VFs in rapid succession.\\n\\nIt turns out that the fix actually introduces issues with the VF driver\\ncaused because the PF no longer responds to any messages sent by the VF\\nduring its .remove routine. This results in the VF potentially removing\\nits DMA memory before the PF has shut down the device queues.\\n\\nAdditionally, the fix doesn\u0027t actually resolve concurrency issues within\\nthe ice driver. It is possible for a VF to initiate a reset just prior\\nto the ice driver removing VFs. This can result in the remove task\\nconcurrently operating while the VF is being reset. This results in\\nsimilar memory corruption and panics purportedly fixed by that commit.\\n\\nFix this concurrency at its root by protecting both the reset and\\nremoval flows using the existing VF cfg_lock. This ensures that we\\ncannot remove the VF while any outstanding critical tasks such as a\\nvirtchnl message or a reset are occurring.\\n\\nThis locking change also fixes the root cause originally fixed by commit\\nc503e63200c6 (\\\"ice: Stop processing VF messages during teardown\\\"), so we\\ncan simply revert it.\\n\\nNote that I kept these two changes together because simply reverting the\\noriginal commit alone would leave the driver vulnerable to worse race\\nconditions.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.26\", \"versionStartIncluding\": \"5.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16.12\", \"versionStartIncluding\": \"5.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17\", \"versionStartIncluding\": \"5.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.13.12\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-06-19T12:39:05.898Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48941\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-19T12:39:05.898Z\", \"dateReserved\": \"2024-08-22T01:27:53.623Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-22T03:31:37.120Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.