CVE-2022-49201

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists between the reset and transmit paths in the Linux kernel's ibmvnic driver. This can lead to a crash when the ibmvnic xmit() function accesses a tx scrq after it has been freed during a reset. The issue arises because the ibmvnic xmit() function is not safe to call during a reset, and the reset path attempts to stop the queue to prevent this. However, an in-flight ibmvnic complete tx() call can restart the queue, allowing ibmvnic xmit() to access the freed tx scrq. To resolve this, a new flag tx queues active is introduced to indicate whether the queues are active, and only the open/reset paths control this flag. The ibmvnic complete tx() function checks this flag before restarting the queue.

Recommendations To resolve the issue, apply the patch that introduces the tx queues active flag and modifies the ibmvnic cleanup() and ibmvnic open() functions to control this flag. Additionally, modify the ibmvnic complete tx() function to check the tx queues active flag before restarting the queue. Ensure that the lock used to protect the tx queues active flag is taken in the interrupt path to maintain consistency.