Linux Kernel XArray Entry Release Vulnerability in Intel Ice Adapter

A vulnerability exists in the Linux kernel's handling of Intel Ice adapters. When the function 'ice_adapter_new()' fails, the XArray entry that was reserved is not released. This oversight causes future insertions at the same index to fail, potentially leading to NULL pointer dereferences. The issue arises because the operations to check for an existing adapter, reserve a slot, allocate a new adapter, and store it are not properly ordered. The vulnerability affects the Linux kernel stable tree.

Impact

Failure to release the XArray entry can lead to subsequent insertions at the same index returning -EBUSY, causing NULL pointer dereferences.

Reproduction

The vulnerability can be reproduced by attempting to insert an adapter into the XArray when the 'ice_adapter_new()' function fails. The first step is to check if the adapter already exists using 'xa_load'. If it does not, reserve the XArray slot with 'xa_reserve'. After reserving the slot, allocate the adapter. If the allocation fails, release the XArray slot. Finally, store the adapter in the XArray.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can apply the latest patches available in the Linux kernel stable tree.