CVE-2022-49063

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: arfs: fix use-after-free when freeing @rx_cpu_rmap<br /> <br /> The CI testing bots triggered the following splat:<br /> <br /> [ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80<br /> [ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834<br /> [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1<br /> [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020<br /> [ 718.223418] Call Trace:<br /> [ 718.227139]<br /> [ 718.230783] dump_stack_lvl+0x33/0x42<br /> [ 718.234431] print_address_description.constprop.9+0x21/0x170<br /> [ 718.238177] ? free_irq_cpu_rmap+0x53/0x80<br /> [ 718.241885] ? free_irq_cpu_rmap+0x53/0x80<br /> [ 718.245539] kasan_report.cold.18+0x7f/0x11b<br /> [ 718.249197] ? free_irq_cpu_rmap+0x53/0x80<br /> [ 718.252852] free_irq_cpu_rmap+0x53/0x80<br /> [ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]<br /> [ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]<br /> [ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]<br /> [ 718.267419] ice_rebuild+0x39c/0xb60 [ice]<br /> [ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20<br /> [ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]<br /> [ 718.278033] ? delay_tsc+0x4a/0xb0<br /> [ 718.281513] ? preempt_count_sub+0x14/0xc0<br /> [ 718.284984] ? delay_tsc+0x8f/0xb0<br /> [ 718.288463] ice_do_reset+0x92/0xf0 [ice]<br /> [ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]<br /> [ 718.295561] pci_reset_function+0x53/0x80<br /> <br /> [ 718.393035] Allocated by task 690:<br /> [ 718.433497] Freed by task 20834:<br /> [ 718.495688] Last potentially related work creation:<br /> [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00<br /> which belongs to the cache kmalloc-96 of size 96<br /> [ 718.574085] The buggy address is located 0 bytes inside of<br /> 96-byte region [ffff8881bd127e00, ffff8881bd127e60)<br /> [ 718.579265] The buggy address belongs to the page:<br /> [ 718.598905] Memory state around the buggy address:<br /> [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc<br /> [ 718.607794] &gt;ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> [ 718.610811] ^<br /> [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc<br /> [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> <br /> This is due to that free_irq_cpu_rmap() is always being called<br /> *after* (devm_)free_irq() and thus it tries to work with IRQ descs<br /> already freed. For example, on device reset the driver frees the<br /> rmap right before allocating a new one (the splat above).<br /> Make rmap creation and freeing function symmetrical with<br /> {request,free}_irq() calls i.e. do that on ifup/ifdown instead<br /> of device probe/remove/resume. These operations can be performed<br /> independently from the actual device aRFS configuration.<br /> Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers<br /> only when aRFS is disabled -- otherwise, CPU rmap sets and clears<br /> its own and they must not be touched manually.