CVE-2026-22981
Description
In the Linux kernel, the following vulnerability has been resolved:idpf: detach and close netdevs while handling a resetProtect the reset path from callbacks by setting the netdevs to detachedstate and close any netdevs in UP state until the reset handling hascompleted. During a reset, the driver will de-allocate resources for thevport, and there is no guarantee that those will recover, which is why theexisting vport_ctrl_lock does not provide sufficient protection.idpf_detach_and_close() is called right before reset handling. If thereset handling succeeds, the netdevs state is recovered via call toidpf_attach_and_open(). If the reset handling fails the netdevs remaindown. The detach/down calls are protected with RTNL lock to avoid racingwith callbacks. On the recovery side the attach can be done withoutholding the RTNL lock as there are no callbacks expected at that point,due to detach/close always being done first in that flow.The previous logic restoring the netdevs state based on theIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hencethe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED isstill being used to restore the state of the netdevs following the reset,but has no use outside of the reset handling flow.idpf_init_hard_reset() is converted to void, since it was used as such andthere is no error handling being done based on its return value.Before this change, invoking hard and soft resets simultaneously willcause the driver to lose the vport state:ip -br aUPecho 1 > /sys/class/net/ens801f0/device/reset& ethtool -L ens801f0 combined 8ip -br aDOWNip link set upip -br aDOWNAlso in case of a failure in the reset path, the netdev is leftexposed to external callbacks, while vport resources are notinitialized, leading to a crash on subsequent ifup/down:[408471.398966] idpf 0000:83:00.0: HW reset detected[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the devices firmware. Check that the FW is running. Driver state= 0x2[408508.125551] BUG: kernel null pointer dereference, address: 0000000000000078[408508.126112] #PF: supervisor read access in kernel mode[408508.126687] #PF: error_code(0x0000) - not-present page[408508.127256] PGD 2aae2f067 P4D 0[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI...[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]...[408508.139193] Call Trace:[408508.139637] [408508.140077] __dev_close_many+0xbb/0x260[408508.140533] __dev_change_flags+0x1cf/0x280[408508.140987] netif_change_flags+0x26/0x70[408508.141434] dev_change_flags+0x3d/0xb0[408508.141878] devinet_ioctl+0x460/0x890[408508.142321] inet_ioctl+0x18e/0x1d0[408508.142762] _copy_to_user+0x22/0x70[408508.143207] sock_do_ioctl+0x3d/0xe0[408508.143652] sock_ioctl+0x10e/0x330[408508.144091] find_held_lock+0x2b/0x80[408508.144537] __x64_sys_ioctl+0x96/0xe0[408508.144979] do_syscall_64+0x79/0x3d0[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e[408508.145860] RIP: 0033:0x7f3e0bb4caff
Risk Information
Associated Vulnerability
No records foundPatch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234