{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49605","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:21:30.416Z","datePublished":"2025-02-26T02:23:30.873Z","dateUpdated":"2025-05-04T08:41:38.201Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:41:38.201Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reinstate IGC_REMOVED logic and implement it properly\n\nThe initially merged version of the igc driver code (via commit\n146740f9abc4, \"igc: Add support for PF\") contained the following\nIGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:\n\n\tu32 igc_rd32(struct igc_hw *hw, u32 reg)\n\t{\n\t\tu8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);\n\t\tu32 value = 0;\n\n\t\tif (IGC_REMOVED(hw_addr))\n\t\t\treturn ~value;\n\n\t\tvalue = readl(&hw_addr[reg]);\n\n\t\t/* reads should not return all F's */\n\t\tif (!(~value) && (!reg || !(~readl(hw_addr))))\n\t\t\thw->hw_addr = NULL;\n\n\t\treturn value;\n\t}\n\nAnd:\n\n\t#define wr32(reg, val) \\\n\tdo { \\\n\t\tu8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \\\n\t\tif (!IGC_REMOVED(hw_addr)) \\\n\t\t\twritel((val), &hw_addr[(reg)]); \\\n\t} while (0)\n\nE.g. igb has similar checks in its MMIO accessors, and has a similar\nmacro E1000_REMOVED, which is implemented as follows:\n\n\t#define E1000_REMOVED(h) unlikely(!(h))\n\nThese checks serve to detect and take note of an 0xffffffff MMIO read\nreturn from the device, which can be caused by a PCIe link flap or some\nother kind of PCI bus error, and to avoid performing MMIO reads and\nwrites from that point onwards.\n\nHowever, the IGC_REMOVED macro was not originally implemented:\n\n\t#ifndef IGC_REMOVED\n\t#define IGC_REMOVED(a) (0)\n\t#endif /* IGC_REMOVED */\n\nThis led to the IGC_REMOVED logic to be removed entirely in a\nsubsequent commit (commit 3c215fb18e70, \"igc: remove IGC_REMOVED\nfunction\"), with the rationale that such checks matter only for\nvirtualization and that igc does not support virtualization -- but a\nPCIe device can become detached even without virtualization being in\nuse, and without proper checks, a PCIe bus error affecting an igc\nadapter will lead to various NULL pointer dereferences, as the first\naccess after the error will set hw->hw_addr to NULL, and subsequent\naccesses will blindly dereference this now-NULL pointer.\n\nThis patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and\nimplements IGC_REMOVED the way it is done for igb, by checking for the\nunlikely() case of hw_addr being NULL.  This change prevents the oopses\nseen when a PCIe link flap occurs on an igc adapter."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/igc/igc_main.c","drivers/net/ethernet/intel/igc/igc_regs.h"],"versions":[{"version":"146740f9abc4976e4f0af1aa302efee1c699d2e4","lessThan":"16cb6717f4f42487ef10583eb8bc98e7d1e33d65","status":"affected","versionType":"git"},{"version":"146740f9abc4976e4f0af1aa302efee1c699d2e4","lessThan":"77836dbe35382aaf8108489060c5c89530c77494","status":"affected","versionType":"git"},{"version":"146740f9abc4976e4f0af1aa302efee1c699d2e4","lessThan":"e75b73081f1ec169518773626c2ff3950476660b","status":"affected","versionType":"git"},{"version":"146740f9abc4976e4f0af1aa302efee1c699d2e4","lessThan":"70965b6e5c03aa70cc754af1226b9f9cde0c4bf3","status":"affected","versionType":"git"},{"version":"146740f9abc4976e4f0af1aa302efee1c699d2e4","lessThan":"7c1ddcee5311f3315096217881d2dbe47cc683f9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/igc/igc_main.c","drivers/net/ethernet/intel/igc/igc_regs.h"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.4.208","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.134","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.58","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.18.15","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.208"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.10.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.18.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65"},{"url":"https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494"},{"url":"https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b"},{"url":"https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3"},{"url":"https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9"}],"title":"igc: Reinstate IGC_REMOVED logic and implement it properly","x_generator":{"engine":"bippy-1.2.0"}}}}