CVE-2022-48858

Summary

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix a race on command flush flow

Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock.

It fixes the following warning trace:

refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 … RIP: 0010:refcount_warn_saturate+0x80/0xe0 … Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK>

Affected Software

VendorProductVersion RangeStatus
LinuxLinux073fff8102062cd675170ceb54d90da22fe7e668 < 1a4017926eeea56c7540cc41b42106746ee8a0eeaffected
LinuxLinux50b2412b7e7862c5af0cbf4b10d93bc5c712d021 < f3331bc17449f15832c31823f27573f4c0e13e5faffected
LinuxLinux50b2412b7e7862c5af0cbf4b10d93bc5c712d021 < 7c519f769f555ff7d9d4ccba3497bbb589df360aaffected
LinuxLinux50b2412b7e7862c5af0cbf4b10d93bc5c712d021 < 0401bfb27a91d7bdd74b1635c1aae57cbb128da6affected
LinuxLinux50b2412b7e7862c5af0cbf4b10d93bc5c712d021 < 063bd355595428750803d8736a9bb7c8db67d42daffected
LinuxLinuxda87ea137373689dec9d3fafa34a57787320a4b3affected
LinuxLinux5.4.71 < 5.4.185affected
LinuxLinux5.8.15 < 5.9affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.4.185 <= 5.4.*unaffected
LinuxLinux5.10.106 <= 5.10.*unaffected
LinuxLinux5.15.29 <= 5.15.*unaffected
LinuxLinux5.16.15 <= 5.16.*unaffected
LinuxLinux5.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References