CVE-2022-48673

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48673
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48673.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48673
Downstream
Related
Published
2024-05-03T14:51:44Z
Modified
2025-10-15T15:13:17.744420Z
Summary
net/smc: Fix possible access to freed memory in link clear
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: Fix possible access to freed memory in link clear

After modifying the QP to the Error state, all RX WR would be completed with WC in IBWCWRFLUSHERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context.

Here is a crash example:

BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:nativequeuedspinlockslowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _rawspinlockirqsave+0x30/0x40 mlx5ibpollcq+0x4c/0xc50 [mlx5ib] smcwrrxtaskletfn+0x56/0xa0 [smc] taskletactioncommon.isra.21+0x66/0x100 _dosoftirq+0xd5/0x29c asmcallirqonstack+0x12/0x20 </IRQ> dosoftirqownstack+0x37/0x40 irqexitrcu+0x9d/0xa0 sysveccallfunctionsingle+0x34/0x80 asmsysveccallfunctionsingle+0x12/0x20

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bd4ad57718cc86d2972a20f9791cd079996a4dd6
Fixed
89fcb70f1acd6b0bbf2f7bfbf45d7aa75a9bdcde
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bd4ad57718cc86d2972a20f9791cd079996a4dd6
Fixed
e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968

Affected versions

v4.*

v4.10
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0-rc1
v6.0-rc2
v6.0-rc3

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "266122567276691478909869981958742501483",
                "110039148870576665556440684014439821753",
                "275701312738805844911765645949968308595",
                "339882828185745737803162826330943665225",
                "20302147594868254678800555108676246748",
                "339185575155335753379561833512578779875",
                "253334341782738062647975190481047047548",
                "93404748667582848048806733369481283185",
                "255736882061323354741232934004578401104",
                "6551253876149004020036697158210110875",
                "281947942970540210046700517925461606339",
                "40059556446891127009958212489485167792",
                "13518379190451742754180006334208537509",
                "262664844002372502870985951369468438877",
                "221550665266424536914774744607397877143"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48673-48137345",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "net/smc/smc_wr.c"
        },
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "150891357538072740672367309596673873864",
            "length": 504.0
        },
        "id": "CVE-2022-48673-68ee2740",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smc_wr_rx_process_cqes",
            "file": "net/smc/smc_wr.c"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "function_hash": "266894341622862310847637870204549954477",
            "length": 2017.0
        },
        "id": "CVE-2022-48673-705bdd12",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smcr_link_init",
            "file": "net/smc/smc_core.c"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "62417111174856331258266761237982128496",
                "250082801961958589154840172737849100642",
                "264803034805355347777743337568059196422",
                "10485994593300938360417023612864093309",
                "290666657770074245618196061580027946649",
                "47151531346110620559757176337191850343"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48673-72efedac",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "net/smc/smc_core.h"
        },
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "36285234599271295941915435854257188769",
            "length": 1846.0
        },
        "id": "CVE-2022-48673-8b315982",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smc_wr_create_link",
            "file": "net/smc/smc_wr.c"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "function_hash": "31530017064871700430409365030985554031",
            "length": 990.0
        },
        "id": "CVE-2022-48673-923eae63",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smc_wr_free_link",
            "file": "net/smc/smc_wr.c"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "147839996235761029607976781815786132594",
                "304187465150468646992338511378527904298",
                "326887630284787554084013988107834616918",
                "196981053496714364894703586626239485972"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48673-ee261d98",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "net/smc/smc_core.c"
        },
        "signature_type": "Line"
    },
    {
        "digest": {
            "line_hashes": [
                "214487201657867233929749545436289205247",
                "27102801173247190402353914246642306332",
                "104034895112689404065267076309867890076"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48673-fe55392e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9b1a4f867ae9c1dbd1d71cd09cbdb3239fb4968",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "net/smc/smc_wr.h"
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.11.0
Fixed
5.19.9