Linux Kernel Ice Driver Devlink Reload Call Trace Vulnerability

A vulnerability in the Linux kernel's Ice driver can lead to a call trace issue when the Devlink reload feature is used. This problem arises from the way the driver handles internal temperature sensor readings via the HWMON interface. The vulnerability occurs because the driver's initialization and cleanup functions are not properly synchronized, leading to orphaned references to freed memory. When system monitoring tools attempt to access these orphaned attributes, a page fault occurs, causing the call trace to repeat approximately every 10 minutes.

Impact

The vulnerability can cause a kernel call trace to occur, which may disrupt normal system operations and performance. This call trace references a page fault for an address that has been freed, indicating a use-after-free error that can potentially be exploited.

Reproduction

The vulnerability can be reproduced by loading the Ice driver, which initializes the HWMON interface and starts reading the internal temperature sensor. After the driver is loaded, perform a Devlink reload, which reinitializes the device without properly removing the first HWMON instance. Finally, unload the driver, which calls the cleanup function that does not account for the orphaned HWMON instance, leaving a dangling pointer that causes the call trace issue.

Remediation

The vulnerability has been fixed by adjusting the driver's cleanup process to ensure that HWMON exit is called in the correct sequence, preventing orphaned references. Users should update to the latest version of the Linux kernel where this fix has been applied.