{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48840","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-16T11:38:08.909Z","datePublished":"2024-07-16T12:25:11.173Z","dateUpdated":"2025-05-04T08:24:30.218Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:24:30.218Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot          state:D stack:    0 pid:17359 ppid:     1 f2\n[52625.996732] Call Trace:\n[52625.999187]  __schedule+0x2d1/0x830\n[52626.007400]  schedule+0x35/0xa0\n[52626.010545]  schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046]  usleep_range+0x5b/0x80\n[52626.023540]  iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645]  pci_device_remove+0x3b/0xc0\n[52626.031572]  device_release_driver_internal+0x103/0x1f0\n[52626.036805]  pci_stop_bus_device+0x72/0xa0\n[52626.040904]  pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870]  pci_iov_remove_virtfn+0xba/0x120\n[52626.050232]  sriov_disable+0x2f/0xe0\n[52626.053813]  ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946]  ice_remove+0x220/0x240 [ice]\n[52626.061967]  ice_shutdown+0x16/0x50 [ice]\n[52626.065987]  pci_device_shutdown+0x34/0x60\n[52626.070086]  device_shutdown+0x165/0x1c5\n[52626.074011]  kernel_restart+0xe/0x30\n[52626.077593]  __do_sys_reboot+0x1d2/0x210\n[52626.093815]  do_syscall_64+0x5b/0x1a0\n[52626.097483]  entry_SYSCALL_64_after_hwframe+0x65/0xca"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/iavf/iavf_main.c"],"versions":[{"version":"85aa76066fef64de8a48d0da6b4071ceac455a94","lessThan":"80974bb730270199c6fcb189af04d5945b87e813","status":"affected","versionType":"git"},{"version":"7b9515172ab4d4c6ac0eae4b71013ee6ce932205","lessThan":"4477b9a4193b35eb3a8afd2adf2d42add2f88d57","status":"affected","versionType":"git"},{"version":"974578017fc1fdd06cea8afb9dfa32602e8529ed","lessThan":"b04683ff8f0823b869c219c78ba0d974bddea0b5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/iavf/iavf_main.c"],"versions":[{"version":"5.15.27","lessThan":"5.15.31","status":"affected","versionType":"semver"},{"version":"5.16.13","lessThan":"5.16.17","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.27","versionEndExcluding":"5.15.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.13","versionEndExcluding":"5.16.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813"},{"url":"https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57"},{"url":"https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5"}],"title":"iavf: Fix hang during reboot/shutdown","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:25:01.614Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48840","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:56:57.340202Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:09.921Z"}}]}}