CVE-2022-48842

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48842
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48842.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48842
Related
Published
2024-07-16T13:15:11Z
Modified
2024-09-18T03:22:38.192479Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix race condition during interface enslave

Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device") changes a process of re-creation of aux device so iceplugauxdev() is called from iceservice_task() context. This unfortunately opens a race window that can result in dead-lock when interface has left LAG and immediately enters LAG again.

Reproducer:

#!/bin/sh

ip link add lag0 type bond mode 1 miimon 100
ip link set lag0

for n in {1..10}; do
        echo Cycle: $n
        ip link set ens7f0 master lag0
        sleep 1
        ip link set ens7f0 nomaster
done

This results in: [20976.208697] Workqueue: ice iceservicetask [ice] [20976.213422] Call Trace: [20976.215871] schedule+0x2d1/0x830 [20976.219364] schedule+0x35/0xa0 [20976.222510] schedulepreemptdisabled+0xa/0x10 [20976.227043] _mutexlock.isra.7+0x310/0x420 [20976.235071] enumallgidsofdevcb+0x1c/0x100 [ibcore] [20976.251215] ibenumrocenetdev+0xa4/0xe0 [ibcore] [20976.256192] ibcachesetupone+0x33/0xa0 [ibcore] [20976.261079] ibregisterdevice+0x40d/0x580 [ibcore] [20976.266139] irdmaibregisterdevice+0x129/0x250 [irdma] [20976.281409] irdmaprobe+0x2c1/0x360 [irdma] [20976.285691] auxiliarybusprobe+0x45/0x70 [20976.289790] reallyprobe+0x1f2/0x480 [20976.298509] driverprobedevice+0x49/0xc0 [20976.302609] busforeachdrv+0x79/0xc0 [20976.306448] _deviceattach+0xdc/0x160 [20976.310286] busprobedevice+0x9d/0xb0 [20976.314128] deviceadd+0x43c/0x890 [20976.321287] _auxiliarydeviceadd+0x43/0x60 [20976.325644] iceplugauxdev+0xb2/0x100 [ice] [20976.330109] iceservicetask+0xd0c/0xed0 [ice] [20976.342591] processonework+0x1a7/0x360 [20976.350536] workerthread+0x30/0x390 [20976.358128] kthread+0x10a/0x120 [20976.365547] retfromfork+0x1f/0x40 ... [20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084 [20976.446469] Call Trace: [20976.448921] _schedule+0x2d1/0x830 [20976.452414] schedule+0x35/0xa0 [20976.455559] schedulepreemptdisabled+0xa/0x10 [20976.460090] _mutexlock.isra.7+0x310/0x420 [20976.464364] devicedel+0x36/0x3c0 [20976.467772] iceunplugauxdev+0x1a/0x40 [ice] [20976.472313] icelageventhandler+0x2a2/0x520 [ice] [20976.477288] notifiercallchain+0x47/0x70 [20976.481386] _netdevupperdevlink+0x18b/0x280 [20976.489845] bondenslave+0xe05/0x1790 [bonding] [20976.494475] dosetlink+0x336/0xf50 [20976.502517] _rtnlnewlink+0x529/0x8b0 [20976.543441] rtnlnewlink+0x43/0x60 [20976.546934] rtnetlinkrcvmsg+0x2b1/0x360 [20976.559238] netlinkrcvskb+0x4c/0x120 [20976.563079] netlinkunicast+0x196/0x230 [20976.567005] netlinksendmsg+0x204/0x3d0 [20976.570930] socksendmsg+0x4c/0x50 [20976.574423] _syssendmsg+0x1eb/0x250 [20976.586807] _syssendmsg+0x7c/0xc0 [20976.606353] _syssendmsg+0x57/0xa0 [20976.609930] dosyscall64+0x5b/0x1a0 [20976.613598] entrySYSCALL64afterhwframe+0x65/0xca

  1. Command 'ip link ... set nomaster' causes that iceplugauxdev() is called from iceservice_task() context, aux device is created and associated device->lock is taken.
  2. Command 'ip link ... set master...' calls ice's notifier under RTNL lock and that notifier calls iceunplugauxdev(). That function tries to take aux device->lock but this is already taken by iceplugauxdev() in step 1
  3. Later iceplugaux_dev() tries to take RTNL lock but this is already taken in step 2
  4. Dead-lock

The patch fixes this issue by following changes: - Bit ICEFLAGPLUGAUXDEV is kept to be set during iceplugauxdev() call in iceservicetask() - The bit is checked in iceclearrdmacap() and only if it is not set then iceunplugauxdev() is called. If it is set (in other words plugging of aux device was requested and iceplugauxdev() is potentially running) then the function only clears the ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2
5.10.216-1
5.10.218-1
5.10.221-1
5.10.223-1
5.13.9-1~exp1
5.13.9-1~exp2
5.13.12-1~exp1
5.14-1~exp1
5.14-1~exp2
5.14.1-1~exp1
5.14.2-1~exp1
5.14.3-1~exp1
5.14.6-1
5.14.6-2
5.14.6-3
5.14.9-1
5.14.9-2~bpo11+1
5.14.9-2
5.14.12-1
5.14.16-1
5.15-1~exp1
5.15.1-1~exp1
5.15.2-1~exp1
5.15.3-1
5.15.5-1
5.15.5-2~bpo11+1
5.15.5-2
5.15.15-1
5.15.15-2~bpo11+1
5.15.15-2
5.16~rc1-1~exp1
5.16~rc3-1~exp1
5.16~rc4-1~exp1
5.16~rc5-1~exp1
5.16~rc6-1~exp1
5.16~rc7-1~exp1
5.16~rc8-1~exp1
5.16.3-1~exp1
5.16.4-1~exp1
5.16.7-1
5.16.7-2
5.16.10-1
5.16.11-1~bpo11+1
5.16.11-1
5.16.12-1~bpo11+1
5.16.12-1
5.16.14-1
5.16.18-1
5.17~rc3-1~exp1
5.17~rc4-1~exp1
5.17~rc5-1~exp1
5.17~rc6-1~exp1
5.17~rc7-1~exp1
5.17~rc8-1~exp1
5.17.1-1~exp1
5.17.3-1
5.17.6-1
5.17.11-1
5.18-1~exp1
5.18.2-1~bpo11+1
5.18.2-1
5.18.5-1
5.18.14-1~bpo11+1
5.18.14-1
5.18.16-1~bpo11+1
5.18.16-1
5.19~rc4-1~exp1
5.19~rc6-1~exp1
5.19-1~exp1
5.19.6-1
5.19.11-1~bpo11+1
5.19.11-1

6.*

6.0~rc7-1~exp1
6.0-1~exp1
6.0.2-1
6.0.3-1~bpo11+1
6.0.3-1
6.0.5-1
6.0.6-1
6.0.6-2
6.0.7-1
6.0.8-1
6.0.10-1
6.0.10-2
6.0.12-1~bpo11+1
6.0.12-1
6.0.12-1+alpha
6.1~rc3-1~exp1
6.1~rc5-1~exp1
6.1~rc6-1~exp1
6.1~rc7-1~exp1
6.1~rc8-1~exp1
6.1.1-1~exp1
6.1.1-1~exp2
6.1.2-1~exp1
6.1.4-1
6.1.7-1
6.1.8-1
6.1.8-1+sh4
6.1.11-1
6.1.12-1~bpo11+1
6.1.12-1
6.1.15-1~bpo11+1
6.1.15-1
6.1.20-1~bpo11+1
6.1.20-1
6.1.20-2~bpo11+1
6.1.20-2
6.1.25-1
6.1.27-1~bpo11+1
6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.18-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.18-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}