CVE-2022-49605

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igc: Reinstate IGC_REMOVED logic and implement it properly<br /> <br /> The initially merged version of the igc driver code (via commit<br /> 146740f9abc4, "igc: Add support for PF") contained the following<br /> IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:<br /> <br /> u32 igc_rd32(struct igc_hw *hw, u32 reg)<br /> {<br /> u8 __iomem *hw_addr = READ_ONCE(hw-&gt;hw_addr);<br /> u32 value = 0;<br /> <br /> if (IGC_REMOVED(hw_addr))<br /> return ~value;<br /> <br /> value = readl(&amp;hw_addr[reg]);<br /> <br /> /* reads should not return all F&amp;#39;s */<br /> if (!(~value) &amp;&amp; (!reg || !(~readl(hw_addr))))<br /> hw-&gt;hw_addr = NULL;<br /> <br /> return value;<br /> }<br /> <br /> And:<br /> <br /> #define wr32(reg, val) \<br /> do { \<br /> u8 __iomem *hw_addr = READ_ONCE((hw)-&gt;hw_addr); \<br /> if (!IGC_REMOVED(hw_addr)) \<br /> writel((val), &amp;hw_addr[(reg)]); \<br /> } while (0)<br /> <br /> E.g. igb has similar checks in its MMIO accessors, and has a similar<br /> macro E1000_REMOVED, which is implemented as follows:<br /> <br /> #define E1000_REMOVED(h) unlikely(!(h))<br /> <br /> These checks serve to detect and take note of an 0xffffffff MMIO read<br /> return from the device, which can be caused by a PCIe link flap or some<br /> other kind of PCI bus error, and to avoid performing MMIO reads and<br /> writes from that point onwards.<br /> <br /> However, the IGC_REMOVED macro was not originally implemented:<br /> <br /> #ifndef IGC_REMOVED<br /> #define IGC_REMOVED(a) (0)<br /> #endif /* IGC_REMOVED */<br /> <br /> This led to the IGC_REMOVED logic to be removed entirely in a<br /> subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED<br /> function"), with the rationale that such checks matter only for<br /> virtualization and that igc does not support virtualization -- but a<br /> PCIe device can become detached even without virtualization being in<br /> use, and without proper checks, a PCIe bus error affecting an igc<br /> adapter will lead to various NULL pointer dereferences, as the first<br /> access after the error will set hw-&gt;hw_addr to NULL, and subsequent<br /> accesses will blindly dereference this now-NULL pointer.<br /> <br /> This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and<br /> implements IGC_REMOVED the way it is done for igb, by checking for the<br /> unlikely() case of hw_addr being NULL. This change prevents the oopses<br /> seen when a PCIe link flap occurs on an igc adapter.