Linux Kernel Ice Driver Use-After-Free Vulnerability in ARFS Handling

A use-after-free vulnerability has been identified in the Linux kernel's Ice network driver, specifically in the management of the Accelerated Receive Flow Steering (ARFS) feature. This issue arises because the driver improperly frees CPU receive mappings after releasing interrupt request (IRQ) resources, leading to potential memory access violations. The vulnerability was revealed through Kernel Address Sanitizer (KASAN) testing, which detected the use-after-free condition when a task attempted to read memory that had already been freed. The problem occurs in version 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for memory corruption and potentially arbitrary code execution.

Reproduction

The vulnerability can be reproduced by enabling the Ice driver and its ARFS feature, then performing a device reset. The driver will free the CPU receive mappings just before reallocating them, creating a use-after-free scenario. This sequence can be triggered during normal driver operation, particularly when the device is reset or removed.