ghsa-6hqq-r498-2prh
Vulnerability from github
Published
2025-10-23 12:31
Modified
2025-10-23 12:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

igc: Reinstate IGC_REMOVED logic and implement it properly

The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:

u32 igc_rd32(struct igc_hw *hw, u32 reg)
{
    u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);
    u32 value = 0;

    if (IGC_REMOVED(hw_addr))
        return ~value;

    value = readl(&hw_addr[reg]);

    /* reads should not return all F's */
    if (!(~value) && (!reg || !(~readl(hw_addr))))
        hw->hw_addr = NULL;

    return value;
}

And:

#define wr32(reg, val) \
do { \
    u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \
    if (!IGC_REMOVED(hw_addr)) \
        writel((val), &hw_addr[(reg)]); \
} while (0)

E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows:

#define E1000_REMOVED(h) unlikely(!(h))

These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards.

However, the IGC_REMOVED macro was not originally implemented:

#ifndef IGC_REMOVED
#define IGC_REMOVED(a) (0)
#endif /* IGC_REMOVED */

This led to the IGC_REMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer.

This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and implements IGC_REMOVED the way it is done for igb, by checking for the unlikely() case of hw_addr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reinstate IGC_REMOVED logic and implement it properly\n\nThe initially merged version of the igc driver code (via commit\n146740f9abc4, \"igc: Add support for PF\") contained the following\nIGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:\n\n\tu32 igc_rd32(struct igc_hw *hw, u32 reg)\n\t{\n\t\tu8 __iomem *hw_addr = READ_ONCE(hw-\u003ehw_addr);\n\t\tu32 value = 0;\n\n\t\tif (IGC_REMOVED(hw_addr))\n\t\t\treturn ~value;\n\n\t\tvalue = readl(\u0026hw_addr[reg]);\n\n\t\t/* reads should not return all F\u0027s */\n\t\tif (!(~value) \u0026\u0026 (!reg || !(~readl(hw_addr))))\n\t\t\thw-\u003ehw_addr = NULL;\n\n\t\treturn value;\n\t}\n\nAnd:\n\n\t#define wr32(reg, val) \\\n\tdo { \\\n\t\tu8 __iomem *hw_addr = READ_ONCE((hw)-\u003ehw_addr); \\\n\t\tif (!IGC_REMOVED(hw_addr)) \\\n\t\t\twritel((val), \u0026hw_addr[(reg)]); \\\n\t} while (0)\n\nE.g. igb has similar checks in its MMIO accessors, and has a similar\nmacro E1000_REMOVED, which is implemented as follows:\n\n\t#define E1000_REMOVED(h) unlikely(!(h))\n\nThese checks serve to detect and take note of an 0xffffffff MMIO read\nreturn from the device, which can be caused by a PCIe link flap or some\nother kind of PCI bus error, and to avoid performing MMIO reads and\nwrites from that point onwards.\n\nHowever, the IGC_REMOVED macro was not originally implemented:\n\n\t#ifndef IGC_REMOVED\n\t#define IGC_REMOVED(a) (0)\n\t#endif /* IGC_REMOVED */\n\nThis led to the IGC_REMOVED logic to be removed entirely in a\nsubsequent commit (commit 3c215fb18e70, \"igc: remove IGC_REMOVED\nfunction\"), with the rationale that such checks matter only for\nvirtualization and that igc does not support virtualization -- but a\nPCIe device can become detached even without virtualization being in\nuse, and without proper checks, a PCIe bus error affecting an igc\nadapter will lead to various NULL pointer dereferences, as the first\naccess after the error will set hw-\u003ehw_addr to NULL, and subsequent\naccesses will blindly dereference this now-NULL pointer.\n\nThis patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and\nimplements IGC_REMOVED the way it is done for igb, by checking for the\nunlikely() case of hw_addr being NULL.  This change prevents the oopses\nseen when a PCIe link flap occurs on an igc adapter.",
  "id": "GHSA-6hqq-r498-2prh",
  "modified": "2025-10-23T12:31:15Z",
  "published": "2025-10-23T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49605"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.