DEBIAN-CVE-2022-49063

In the Linux kernel, the following vulnerability has been resolved: ice: arfs: fix use-after-free when freeing @rxcpurmap The CI testing bots triggered the following splat: [ 718.203054] BUG: KASAN: use-after-free in freeirqcpurmap+0x53/0x80 [ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Call Trace: [ 718.227139] [ 718.230783] dumpstacklvl+0x33/0x42 [ 718.234431] printaddressdescription.constprop.9+0x21/0x170 [ 718.238177] ? freeirqcpurmap+0x53/0x80 [ 718.241885] ? freeirqcpurmap+0x53/0x80 [ 718.245539] kasanreport.cold.18+0x7f/0x11b [ 718.249197] ? freeirqcpurmap+0x53/0x80 [ 718.252852] freeirqcpurmap+0x53/0x80 [ 718.256471] icefreecpurxrmap.part.11+0x37/0x50 [ice] [ 718.260174] iceremovearfs+0x5f/0x70 [ice] [ 718.263810] icerebuildarfs+0x3b/0x70 [ice] [ 718.267419] icerebuild+0x39c/0xb60 [ice] [ 718.270974] ? asmsysvecapictimerinterrupt+0x12/0x20 [ 718.274472] ? iceinitphyusercfg+0x360/0x360 [ice] [ 718.278033] ? delaytsc+0x4a/0xb0 [ 718.281513] ? preemptcountsub+0x14/0xc0 [ 718.284984] ? delaytsc+0x8f/0xb0 [ 718.288463] icedoreset+0x92/0xf0 [ice] [ 718.292014] icepcierrresume+0x91/0xf0 [ice] [ 718.295561] pciresetfunction+0x53/0x80 <...> [ 718.393035] Allocated by task 690: [ 718.433497] Freed by task 20834: [ 718.495688] Last potentially related work creation: [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96 [ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] The buggy address belongs to the page: [ 718.598905] Memory state around the buggy address: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc This is due to that freeirqcpurmap() is always being called after (devm_)freeirq() and thus it tries to work with IRQ descs already freed. For example, on device reset the driver frees the rmap right before allocating a new one (the splat above). Make rmap creation and freeing function symmetrical with {request,free}irq() calls i.e. do that on ifup/ifdown instead of device probe/remove/resume. These operations can be performed independently from the actual device aRFS configuration. Also, make sure icevsifree_irq() clears IRQ affinity notifiers only when aRFS is disabled -- otherwise, CPU rmap sets and clears its own and they must not be touched manually.