GHSA-M8H5-VF45-H85R

Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-09 03:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: Fix pci_device_is_present() for VFs by checking PF

pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xffff for VFs, which looks like they aren't present. Check the PF instead.

Wei Gong reported that if virtio I/O is in progress when the driver is unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O operation hangs, which may result in output like this:

task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 Call Trace: schedule+0x4f/0xc0 blk_mq_freeze_queue_wait+0x69/0xa0 blk_mq_freeze_queue+0x1b/0x20 blk_cleanup_queue+0x3d/0xd0 virtblk_remove+0x3c/0xb0 [virtio_blk] virtio_dev_remove+0x4b/0x80 ... device_unregister+0x1b/0x60 unregister_virtio_device+0x18/0x30 virtio_pci_remove+0x41/0x80 pci_device_remove+0x3e/0xb0

This happened because pci_device_is_present(VF) returned "false" in virtio_pci_remove(), so it called virtio_break_device(). The broken vq meant that vring_interrupt() skipped the vq.callback() that would have completed the virtio I/O operation via virtblk_done().

[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50636"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T01:16:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix pci_device_is_present() for VFs by checking PF\n\npci_device_is_present() previously didn\u0027t work for VFs because it reads the\nVendor and Device ID, which are 0xffff for VFs, which looks like they\naren\u0027t present.  Check the PF instead.\n\nWei Gong reported that if virtio I/O is in progress when the driver is\nunbound or \"0\" is written to /sys/.../sriov_numvfs, the virtio I/O\noperation hangs, which may result in output like this:\n\n  task:bash state:D stack:    0 pid: 1773 ppid:  1241 flags:0x00004002\n  Call Trace:\n   schedule+0x4f/0xc0\n   blk_mq_freeze_queue_wait+0x69/0xa0\n   blk_mq_freeze_queue+0x1b/0x20\n   blk_cleanup_queue+0x3d/0xd0\n   virtblk_remove+0x3c/0xb0 [virtio_blk]\n   virtio_dev_remove+0x4b/0x80\n   ...\n   device_unregister+0x1b/0x60\n   unregister_virtio_device+0x18/0x30\n   virtio_pci_remove+0x41/0x80\n   pci_device_remove+0x3e/0xb0\n\nThis happened because pci_device_is_present(VF) returned \"false\" in\nvirtio_pci_remove(), so it called virtio_break_device().  The broken vq\nmeant that vring_interrupt() skipped the vq.callback() that would have\ncompleted the virtio I/O operation via virtblk_done().\n\n[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]",
  "id": "GHSA-m8h5-vf45-h85r",
  "modified": "2025-12-09T03:31:09Z",
  "published": "2025-12-09T03:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50636"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.