Wind River Support Network

HomeDefectsLIN1022-19821
Fixed

LIN1022-19821 : Security Advisory - linux - CVE-2022-50679

Created: Dec 10, 2025    Updated: Dec 11, 2025
Resolved Date: Dec 10, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.3
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]i40e: Fix DMA mappings leak[EOL][EOL]During reallocation of RX buffers, new DMA mappings are created for[EOL]those buffers.[EOL][EOL]steps for reproduction:[EOL]while :[EOL]do[EOL]for ((i=0; i<=8160; i=i+32))[EOL]do[EOL]ethtool -G enp130s0f0 rx $i tx $i[EOL]sleep 0.5[EOL]ethtool -g enp130s0f0[EOL]done[EOL]done[EOL][EOL]This resulted in crash:[EOL]i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536[EOL]Driver BUG[EOL]WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50[EOL]Call Trace:[EOL]i40e_free_rx_resources+0x70/0x80 [i40e][EOL]i40e_set_ringparam+0x27c/0x800 [i40e][EOL]ethnl_set_rings+0x1b2/0x290[EOL]genl_family_rcv_msg_doit.isra.15+0x10f/0x150[EOL]genl_family_rcv_msg+0xb3/0x160[EOL]? rings_fill_reply+0x1a0/0x1a0[EOL]genl_rcv_msg+0x47/0x90[EOL]? genl_family_rcv_msg+0x160/0x160[EOL]netlink_rcv_skb+0x4c/0x120[EOL]genl_rcv+0x24/0x40[EOL]netlink_unicast+0x196/0x230[EOL]netlink_sendmsg+0x204/0x3d0[EOL]sock_sendmsg+0x4c/0x50[EOL]__sys_sendto+0xee/0x160[EOL]? handle_mm_fault+0xbe/0x1e0[EOL]? syscall_trace_enter+0x1d3/0x2c0[EOL]__x64_sys_sendto+0x24/0x30[EOL]do_syscall_64+0x5b/0x1a0[EOL]entry_SYSCALL_64_after_hwframe+0x65/0xca[EOL]RIP: 0033:0x7f5eac8b035b[EOL]Missing register, driver bug[EOL]WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140[EOL]Call Trace:[EOL]xdp_rxq_info_unreg+0x1e/0x50[EOL]i40e_free_rx_resources+0x70/0x80 [i40e][EOL]i40e_set_ringparam+0x27c/0x800 [i40e][EOL]ethnl_set_rings+0x1b2/0x290[EOL]genl_family_rcv_msg_doit.isra.15+0x10f/0x150[EOL]genl_family_rcv_msg+0xb3/0x160[EOL]? rings_fill_reply+0x1a0/0x1a0[EOL]genl_rcv_msg+0x47/0x90[EOL]? genl_family_rcv_msg+0x160/0x160[EOL]netlink_rcv_skb+0x4c/0x120[EOL]genl_rcv+0x24/0x40[EOL]netlink_unicast+0x196/0x230[EOL]netlink_sendmsg+0x204/0x3d0[EOL]sock_sendmsg+0x4c/0x50[EOL]__sys_sendto+0xee/0x160[EOL]? handle_mm_fault+0xbe/0x1e0[EOL]? syscall_trace_enter+0x1d3/0x2c0[EOL]__x64_sys_sendto+0x24/0x30[EOL]do_syscall_64+0x5b/0x1a0[EOL]entry_SYSCALL_64_after_hwframe+0x65/0xca[EOL]RIP: 0033:0x7f5eac8b035b[EOL][EOL]This was caused because of new buffers with different RX ring count should[EOL]substitute older ones, but those buffers were freed in[EOL]i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,[EOL]thus kfree on rx_bi caused leak of already mapped DMA.[EOL][EOL]Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally[EOL]reallocate back to rx_bi when BPF program unloads.[EOL][EOL]If BPF program is loaded/unloaded and XSK pools are created, reallocate[EOL]RX queues accordingly in XSP_SETUP_XSK_POOL handler.
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube