CVE-2024-46765

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.52

Description The main threat to data consistency in ice xdp() is a possible asynchronous PF reset, which can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources, and with an unfortunate timing, such accesses can result in a crash. The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF XDP socket. To resolve this issue, an xdp state lock mutex is added to protect ice vsi rebuild() and ice xdp().

Recommendations To resolve the issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider disabling the ice vsi rebuild() function until a patch is available. Restrict access to the vulnerable ice xdp() function to minimize the risk of exploitation. Avoid using the ice vsi close() and ice vsi open() functions in conjunction with ice xdp() until the issue is resolved.