In the Linux kernel, the following vulnerability has been resolved:
igc: Fix use-after-free error during reset
Cleans the next descriptor to watch (nexttowatch) when cleaning the TX ring.
Failure to do so can cause invalid memory accesses. If igc_poll() runs while the controller is being reset this can lead to the driver try to free a skb that was already freed.
Log message:
[ 101.525242] refcountt: underflow; use-after-free. [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcountwarnsaturate+0xab/0xf0 [ 101.525259] Modules linked in: schetf(E) schmqprio(E) rfkill(E) intelraplmsr(E) intelraplcommon(E) x86pkgtempthermal(E) intelpowerclamp(E) coretemp(E) binfmtmisc(E) kvmintel(E) kvm(E) irqbypass(E) crc32pclmul(E) ghashclmulniintel(E) aesniintel(E) meiwdt(E) libaes(E) cryptosimd(E) cryptd(E) gluehelper(E) sndhdacodechdmi(E) rapl(E) intelcstate(E) sndhdaintel(E) sndinteldspcfg(E) sg(E) soundwireintel(E) inteluncore(E) at24(E) soundwiregenericallocation(E) iTCOwdt(E) soundwirecadence(E) intelpmcbxt(E) serioraw(E) sndhdacodec(E) iTCOvendorsupport(E) watchdog(E) sndhdacore(E) sndhwdep(E) sndsoccore(E) sndcompress(E) sndpcsp(E) soundwirebus(E) sndpcm(E) evdev(E) sndtimer(E) meime(E) snd(E) soundcore(E) mei(E) configfs(E) iptables(E) xtables(E) autofs4(E) ext4(E) crc32cgeneric(E) crc16(E) mbcache(E) jbd2(E) sdmod(E) t10pi(E) crct10dif(E) crct10difgeneric(E) i915(E) ahci(E) libahci(E) ehcipci(E) igb(E) xhcipci(E) ehcihcd(E) [ 101.525303] drmkmshelper(E) dca(E) xhcihcd(E) libata(E) crct10difpclmul(E) cec(E) crct10difcommon(E) tsn(E) igc(E) e1000e(E) ptp(E) i2ci801(E) crc32cintel(E) psmouse(E) i2calgobit(E) i2csmbus(E) scsimod(E) lpcich(E) ppscore(E) usbcore(E) drm(E) button(E) video(E) [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 [ 101.525322] RIP: 0010:refcountwarnsaturate+0xab/0xf0 [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 [ 101.525343] Call Trace: [ 101.525346] sockwfree+0x9c/0xa0 [ 101.525353] unixdestructscm+0x7b/0xa0 [ 101.525358] skbreleaseheadstate+0x40/0x90 [ 101.525362] skbreleaseall+0xe/0x30 [ 101.525364] napiconsumeskb+0x57/0x160 [ 101.525367] igcpoll+0xb7/0xc80 [igc] [ 101.525376] ? schedclock+0x5/0x10 [ 101.525381] ? schedclockcpu+0xe/0x100 [ 101.525385] netrxaction+0x14c/0x410 [ 101.525388] _dosoftirq+0xe9/0x2f4 [ 101.525391] _localbhenableip+0xe3/0x110 [ 101.525395] ? irqfinalizeoneshot.part.47+0xe0/0xe0 [ 101.525398] irqforcedthreadfn+0x6a/0x80 [ 101.525401] irqthread+0xe8/0x180 [ 101.525403] ? wakethreadswaitq+0x30/0x30 [ 101.525406] ? irqthreadcheckaffinity+0xd0/0xd0 [ 101.525408] kthread+0x183/0x1a0 [ 101.525412] ? kthreadpark+0x80/0x80 [ 101.525415] retfrom_fork+0x22/0x30