FKIE_CVE-2026-22981

Vulnerability from fkie_nvd - Published: 2026-01-23 16:15 - Updated: 2026-04-02 12:16
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& \ ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) - not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI ... [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] ... [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C006C634-C236-4B4B-B7FA-AF44C3098505",
              "versionEndExcluding": "6.18.6",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n\u003cinf\u003e\tUP\necho 1 \u003e /sys/class/net/ens801f0/device/reset\u0026 \\\nethtool -L ens801f0 combined 8\nip -br a\n\u003cinf\u003e\tDOWN\nip link set \u003cinf\u003e up\nip -br a\n\u003cinf\u003e\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device\u0027s firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637]  \u003cTASK\u003e\n[408508.140077]  __dev_close_many+0xbb/0x260\n[408508.140533]  __dev_change_flags+0x1cf/0x280\n[408508.140987]  netif_change_flags+0x26/0x70\n[408508.141434]  dev_change_flags+0x3d/0xb0\n[408508.141878]  devinet_ioctl+0x460/0x890\n[408508.142321]  inet_ioctl+0x18e/0x1d0\n[408508.142762]  ? _copy_to_user+0x22/0x70\n[408508.143207]  sock_do_ioctl+0x3d/0xe0\n[408508.143652]  sock_ioctl+0x10e/0x330\n[408508.144091]  ? find_held_lock+0x2b/0x80\n[408508.144537]  __x64_sys_ioctl+0x96/0xe0\n[408508.144979]  do_syscall_64+0x79/0x3d0\n[408508.145415]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nidpf: desvincular y cerrar netdevs mientras se maneja un reinicio\n\nProteger la ruta de reinicio de las devoluciones de llamada configurando los netdevs a estado desvinculado y cerrando cualquier netdev en estado UP hasta que el manejo del reinicio haya finalizado. Durante un reinicio, el controlador desasignar\u00e1 recursos para el vport, y no hay garant\u00eda de que estos se recuperen, raz\u00f3n por la cual el vport_ctrl_lock existente no proporciona suficiente protecci\u00f3n.\n\nidpf_detach_and_close() se llama justo antes del manejo del reinicio. Si el manejo del reinicio tiene \u00e9xito, el estado de los netdevs se recupera mediante una llamada a idpf_attach_and_open(). Si el manejo del reinicio falla, los netdevs permanecen inactivos. Las llamadas de desvinculaci\u00f3n/inactivaci\u00f3n est\u00e1n protegidas con el bloqueo RTNL para evitar condiciones de carrera con las devoluciones de llamada. En el lado de la recuperaci\u00f3n, la vinculaci\u00f3n se puede realizar sin mantener el bloqueo RTNL ya que no se esperan devoluciones de llamada en ese punto, debido a que la desvinculaci\u00f3n/cierre siempre se realiza primero en ese flujo.\n\nLa l\u00f3gica anterior que restauraba el estado de los netdevs basada en el indicador IDPF_VPORT_UP_REQUESTED en la tarea de inicializaci\u00f3n ya no es necesaria, de ah\u00ed la eliminaci\u00f3n de idpf_set_vport_state(). El IDPF_VPORT_UP_REQUESTED todav\u00eda se utiliza para restaurar el estado de los netdevs despu\u00e9s del reinicio, pero no tiene uso fuera del flujo de manejo del reinicio.\n\nidpf_init_hard_reset() se convierte a void, ya que se utilizaba como tal y no se realiza manejo de errores basado en su valor de retorno.\n\nAntes de este cambio, invocar reinicios duros y blandos simult\u00e1neamente har\u00e1 que el controlador pierda el estado del vport:\nip -br a\n\tUP\necho 1 \u0026gt; /sys/class/net/ens801f0/device/reset\u0026amp; \\\nethtool -L ens801f0 combined 8\nip -br a\n\tDOWN\nip link set  up\nip -br a\n\tDOWN\n\nTambi\u00e9n en caso de un fallo en la ruta de reinicio, el netdev queda expuesto a devoluciones de llamada externas, mientras que los recursos del vport no est\u00e1n inicializados, lo que lleva a un fallo en un posterior ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: El controlador no pudo contactar el firmware del dispositivo. Verifique que el FW est\u00e9 en ejecuci\u00f3n. Estado del controlador= 0x2\n[408508.125551] BUG: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000078\n[408508.126112] #PF: acceso de lectura de supervisor en modo kernel\n[408508.126687] #PF: error_code(0x0000) - p\u00e1gina no presente\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637]  \n[408508.140077]  __dev_close_many+0xbb/0x260\n[408508.140533]  __dev_change_flags+0x1cf/0x280\n[408508.140987]  netif_change_flags+0x26/0x70\n[408508.141434]  dev_change_flags+0x3d/0xb0\n[408508.141878]  devinet_ioctl+0x460/0x890\n[408508.142321]  inet_ioctl+0x18e/0x1d0\n[408508.142762]  ? _copy_to_user+0x22/0x70\n[408508.143207]  sock_do_ioctl+0x3d/0xe0\n[408508.143652]  sock_ioctl+0x10e/0x330\n[408508.144091]  ? find_held_lock+0x2b/0x80\n[408508.144537]  __x64_sys_ioctl+0x96/0xe0\n[408508.144979]  do_syscall_64+0x79/0x3d0\n[408508.145415]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff"
    }
  ],
  "id": "CVE-2026-22981",
  "lastModified": "2026-04-02T12:16:18.793",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-23T16:15:54.117",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.