CVE-2023-53064

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: fix hang on reboot with ice<br /> <br /> When a system with E810 with existing VFs gets rebooted the following<br /> hang may be observed.<br /> <br /> Pid 1 is hung in iavf_remove(), part of a network driver:<br /> PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: "systemd-shutdow"<br /> #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb<br /> #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d<br /> #2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc<br /> #3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930<br /> #4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf]<br /> #5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513<br /> #6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa<br /> #7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc<br /> #8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e<br /> #9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429<br /> #10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4<br /> #11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice]<br /> #12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice]<br /> #13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice]<br /> #14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1<br /> #15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386<br /> #16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870<br /> #17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6<br /> #18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159<br /> #19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc<br /> #20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d<br /> #21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169<br /> #22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b<br /> RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7<br /> RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead<br /> RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90<br /> R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005<br /> R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000<br /> ORIG_RAX: 00000000000000a9 CS: 0033 SS: 002b<br /> <br /> During reboot all drivers PM shutdown callbacks are invoked.<br /> In iavf_shutdown() the adapter state is changed to __IAVF_REMOVE.<br /> In ice_shutdown() the call chain above is executed, which at some point<br /> calls iavf_remove(). However iavf_remove() expects the VF to be in one<br /> of the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If<br /> that&amp;#39;s not the case it sleeps forever.<br /> So if iavf_shutdown() gets invoked before iavf_remove() the system will<br /> hang indefinitely because the adapter is already in state __IAVF_REMOVE.<br /> <br /> Fix this by returning from iavf_remove() if the state is __IAVF_REMOVE,<br /> as we already went through iavf_shutdown().