Linux Kernel Ice Driver Virtual Function Deinitialization Vulnerability

A vulnerability exists in the Linux kernel's ice driver related to improper deinitialization of virtual functions (VFs) in error handling scenarios. When the function ice_ena_vfs() fails after initiating virtual function entries, it inadvertently frees all VFs without removing them from the snapshot of the physical function (PF)-VF mailbox list. This oversight leads to corruption of the list. The issue can manifest as a 'list_add corruption' error, indicating a mismatch in the list pointers, or as a use-after-free error, both of which are symptomatic of the underlying list corruption caused by the improper error handling.

Impact

Exploitation of this vulnerability can lead to memory corruption, specifically causing a use-after-free condition, which can be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by setting a physical function (PF) to switchdev mode and enabling promiscuous mode. After bringing the PF interface up, the number of virtual functions is increased, which triggers the vulnerability. The resulting list corruption can be observed as a kernel bug, indicating a corruption in the list management, which is a critical error that can destabilize the system.