CVE-2022-49434

sriovnumvfsstore devicelock # A (1) acquire device lock sriovconfigure vfiopcisriovconfigure # (for example) vfiopcicoresriovconfigure pcidisablesriov sriovdisable pcicfgaccesslock pciwaitcfg # B (4) wait for dev->blockcfg_access == 0

Previously, pcidevlock() acquired the config space access lock before the device lock:

pcidevlock pcicfgaccesslock dev->blockcfgaccess = 1 # B (2) set dev->blockcfgaccess = 1 devicelock # A (3) wait for device lock

Any path that uses pcidevlock(), e.g., pciresetfunction(), may deadlock with sriovnumvfsstore() if the operations occur in the sequence (1) (2) (3) (4).

Avoid the deadlock by reversing the order in pcidevlock() so it acquires the device lock before the config space access lock, the same as the sriovnumvfsstore() path.

[bhelgaas: combined and adapted commit log from Jay Zhou's independent subsequent posting: https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.127-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}