CVE-2022-48726
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48726
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48726.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48726
- Downstream
- Related
- Published
- 2024-06-20T11:13:15Z
- Modified
- 2025-10-08T06:47:53.330778Z
- Summary
- RDMA/ucma: Protect mc during concurrent multicast leaves
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ucma: Protect mc during concurrent multicast leaves
Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked.
BUG: KASAN: use-after-free in ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 _kasanreport mm/kasan/report.c:433 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:450 ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucmadestroyid+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucmawrite+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xae0 fs/readwrite.c:588 ksyswrite+0x1ee/0x250 fs/readwrite.c:643 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae
Currently the xarray search can touch a concurrently freeing mc as the xaforeach() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2923948ffe0835f7114e948b35bcc42bc9b3baa1
- https://git.kernel.org/stable/c/36e8169ec973359f671f9ec7213547059cae972e
- https://git.kernel.org/stable/c/75c610212b9f1756b9384911d3a2c347eee8031c
- https://git.kernel.org/stable/c/ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed75c610212b9f1756b9384911d3a2c347eee8031c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed2923948ffe0835f7114e948b35bcc42bc9b3baa1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixedee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed36e8169ec973359f671f9ec7213547059cae972e
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.17-rc1
v5.9
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36e8169ec973359f671f9ec7213547059cae972e",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"id": "CVE-2022-48726-2cb42ce4"
},
{
"signature_version": "v1",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_alloc_ctx"
},
"signature_type": "Function",
"id": "CVE-2022-48726-3ab46a25"
},
{
"signature_version": "v1",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36e8169ec973359f671f9ec7213547059cae972e",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_leave_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-6f892db4"
},
{
"signature_version": "v1",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_cleanup_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-717d5fc8"
},
{
"signature_version": "v1",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36e8169ec973359f671f9ec7213547059cae972e",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_process_join"
},
"signature_type": "Function",
"id": "CVE-2022-48726-79994259"
},
{
"signature_version": "v1",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_leave_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-7b051366"
},
{
"signature_version": "v1",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_leave_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-883d9e56"
},
{
"signature_version": "v1",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_process_join"
},
"signature_type": "Function",
"id": "CVE-2022-48726-8dba040d"
},
{
"signature_version": "v1",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2923948ffe0835f7114e948b35bcc42bc9b3baa1",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_cleanup_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-9f095cde"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2923948ffe0835f7114e948b35bcc42bc9b3baa1",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"id": "CVE-2022-48726-a37fe42c"
},
{
"signature_version": "v1",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_cleanup_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-af5c96ad"
},
{
"signature_version": "v1",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2923948ffe0835f7114e948b35bcc42bc9b3baa1",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_alloc_ctx"
},
"signature_type": "Function",
"id": "CVE-2022-48726-af8e41ce"
},
{
"signature_version": "v1",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_alloc_ctx"
},
"signature_type": "Function",
"id": "CVE-2022-48726-b35f5336"
},
{
"signature_version": "v1",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36e8169ec973359f671f9ec7213547059cae972e",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_alloc_ctx"
},
"signature_type": "Function",
"id": "CVE-2022-48726-b446b73a"
},
{
"signature_version": "v1",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2923948ffe0835f7114e948b35bcc42bc9b3baa1",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_leave_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-ba7f0e7f"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"id": "CVE-2022-48726-c136f1e3"
},
{
"signature_version": "v1",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36e8169ec973359f671f9ec7213547059cae972e",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_cleanup_multicast"
},
"signature_type": "Function",
"id": "CVE-2022-48726-c7bd81b7"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"id": "CVE-2022-48726-cb0d45a2"
},
{
"signature_version": "v1",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2923948ffe0835f7114e948b35bcc42bc9b3baa1",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_process_join"
},
"signature_type": "Function",
"id": "CVE-2022-48726-f8998bac"
},
{
"signature_version": "v1",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"deprecated": false,
"target": {
"file": "drivers/infiniband/core/ucma.c",
"function": "ucma_process_join"
},
"signature_type": "Function",
"id": "CVE-2022-48726-f992625a"
}
]
}