In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix freeing of uninitialized misc IRQ vector
When VSI set up failed in i40e_probe() as part of PF switch set up
driver was trying to free misc IRQ vectors in
i40e_clear_interrupt_scheme and produced a kernel Oops:
Trying to free already-free IRQ 266
WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300
Workqueue: events work_for_cpu_fn
RIP: 0010:__free_irq+0x9a/0x300
Call Trace:
? synchronize_irq+0x3a/0xa0
free_irq+0x2e/0x60
i40e_clear_interrupt_scheme+0x53/0x190 [i40e]
i40e_probe.part.108+0x134b/0x1a40 [i40e]
? kmem_cache_alloc+0x158/0x1c0
? acpi_ut_update_ref_count.part.1+0x8e/0x345
? acpi_ut_update_object_reference+0x15e/0x1e2
? strstr+0x21/0x70
? irq_get_irq_data+0xa/0x20
? mp_check_pin_attr+0x13/0xc0
? irq_get_irq_data+0xa/0x20
? mp_map_pin_to_irq+0xd3/0x2f0
? acpi_register_gsi_ioapic+0x93/0x170
? pci_conf1_read+0xa4/0x100
? pci_bus_read_config_word+0x49/0x70
? do_pci_enable_device+0xcc/0x100
local_pci_probe+0x41/0x90
work_for_cpu_fn+0x16/0x20
process_one_work+0x1a7/0x360
worker_thread+0x1cf/0x390
? create_worker+0x1a0/0x1a0
kthread+0x112/0x130
? kthread_flush_work_fn+0x10/0x10
ret_from_fork+0x1f/0x40
The problem is that at that point misc IRQ vectors
were not allocated yet and we get a call trace
that driver is trying to free already free IRQ vectors.
Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED
PF state before calling i40e_free_misc_vector. This state is set only if
misc IRQ vectors were properly initialized.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"versions": [
{
"version": "c17401a1dd21",
"lessThan": "60ad4cde0ad2",
"status": "affected",
"versionType": "git"
},
{
"version": "c17401a1dd21",
"lessThan": "17063cac4088",
"status": "affected",
"versionType": "git"
},
{
"version": "c17401a1dd21",
"lessThan": "97aeed72af4f",
"status": "affected",
"versionType": "git"
},
{
"version": "c17401a1dd21",
"lessThan": "75099439209d",
"status": "affected",
"versionType": "git"
},
{
"version": "c17401a1dd21",
"lessThan": "2e5a20573a92",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"versions": [
{
"version": "4.15",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.15",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.211",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.153",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.73",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.14.12",
"lessThanOrEqual": "5.14.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/17063cac4088b8e2fc0f633abddca5426ed58312
git.kernel.org/stable/c/2e5a20573a926302b233b0c2e1077f5debc7ab2e
git.kernel.org/stable/c/60ad4cde0ad28921f9ea25b0201c774b95ffa4b4
git.kernel.org/stable/c/75099439209d3cda439a1d9b00d19a50f0066fef
git.kernel.org/stable/c/97aeed72af4f83ae51534f0a2473ff52f8d66236