CVE-2022-48728

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48728
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48728.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48728
Downstream
Related
Published
2024-06-20T11:13:17.378Z
Modified
2025-11-14T15:37:09.423221Z
Summary
IB/hfi1: Fix AIP early init panic
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix AIP early init panic

An early failure in hfi1ipoibsetup_rn() can lead to the following panic:

BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events workforcpufn RIP: 0010:trytograbpending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: _cancelworktimer+0x42/0x190 ? devprintkemit+0x4e/0x70 iowaitcancelwork+0x15/0x30 [hfi1] hfi1ipoibtxreqdeinit+0x5a/0x220 [hfi1] ? deverr+0x6c/0x90 hfi1ipoibnetdevdtor+0x15/0x30 [hfi1] hfi1ipoibsetuprn+0x10e/0x150 [hfi1] rdmainitnetdev+0x5a/0x80 [ibcore] ? hfi1ipoibfreerdmanetdev+0x20/0x20 [hfi1] ipoibintfinit+0x6c/0x350 [ibipoib] ipoibintfalloc+0x5c/0xc0 [ibipoib] ipoibaddone+0xbe/0x300 [ibipoib] addclientcontext+0x12c/0x1a0 [ibcore] enabledeviceandget+0xdc/0x1d0 [ibcore] ibregisterdevice+0x572/0x6b0 [ibcore] rvtregisterdevice+0x11b/0x220 [rdmavt] hfi1registeribdevice+0x6b4/0x770 [hfi1] doinitone.isra.20+0x3e3/0x680 [hfi1] localpciprobe+0x41/0x90 workforcpufn+0x16/0x20 processonework+0x1a7/0x360 ? createworker+0x1a0/0x1a0 workerthread+0x1cf/0x390 ? createworker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthreadflushworkfn+0x10/0x10 retfrom_fork+0x1f/0x40

The panic happens in hfi1ipoibtxreqdeinit() because there is a NULL deref when hfi1ipoibnetdevdtor() is called in this error case.

hfi1ipoibtxreqinit() and hfi1ipoibrxqinit() are self unwinding so fix by adjusting the error paths accordingly.

Other changes: - hfi1ipoibfreerdmanetdev() is deleted including the freenetdev() since the netdev core code deletes calls freenetdev() - The switch to the accelerated entrances is moved to the success path.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d99dc602e2a55a99940ba9506a7126dfa54d54ea
Fixed
4a9bd1e6780fc59f81466ec3489d5ad535a37190
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d99dc602e2a55a99940ba9506a7126dfa54d54ea
Fixed
a3dd4d2682f2a796121609e5f3bbeb1243198c53
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d99dc602e2a55a99940ba9506a7126dfa54d54ea
Fixed
1899c3cad265c4583658aed5293d02e8af84276b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d99dc602e2a55a99940ba9506a7126dfa54d54ea
Fixed
5f8f55b92edd621f056bdf09e572092849fabd83

Affected versions

v5.*

v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.17-rc1
v5.7
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a9bd1e6780fc59f81466ec3489d5ad535a37190",
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2022-48728-024532d0",
        "target": {
            "function": "hfi1_ipoib_setup_rn",
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "length": 1070.0,
            "function_hash": "266522972568117283453307769295428542856"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1899c3cad265c4583658aed5293d02e8af84276b",
        "signature_version": "v1",
        "signature_type": "Line",
        "id": "CVE-2022-48728-20f5493a",
        "target": {
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "line_hashes": [
                "73486512125740363575142000222208339405",
                "303756635059008556472373682453041722187",
                "297378894733851590518544831106403921613",
                "11841102003801101726729024559303483145",
                "332498089753238599614040866166982881986",
                "8573033363363991417677570048922789815",
                "214973427734504575477399018482227822737",
                "55795854909431414019838485346915293376",
                "130869657938083526559964442606520092418",
                "205214953732722132806397917833701072448",
                "295844482843892377903184372977643185420",
                "220536664802959465877049449360159482842",
                "73099564356571421976332327052429016240",
                "86985721094753118515698970725501109386",
                "66147632570679831305609096188110960526",
                "237074240636874636680031879920495464764",
                "28451459119698457200317003744989048122",
                "269120757955929073331280389709109261933",
                "203245714865969760125340750198331045201",
                "69111544407246775822075464572946068494",
                "149367584246250211891008414971264376520",
                "133592269407676558961816939074962609567",
                "23157426110058310713063023283393999737",
                "84903473063537889890384935239174386659",
                "128219272329025836070011879769976295237"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1899c3cad265c4583658aed5293d02e8af84276b",
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2022-48728-2dadf800",
        "target": {
            "function": "hfi1_ipoib_free_rdma_netdev",
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "length": 85.0,
            "function_hash": "22966104932178912732848047532441781462"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a9bd1e6780fc59f81466ec3489d5ad535a37190",
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2022-48728-5f70b3d3",
        "target": {
            "function": "hfi1_ipoib_free_rdma_netdev",
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "length": 85.0,
            "function_hash": "22966104932178912732848047532441781462"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1899c3cad265c4583658aed5293d02e8af84276b",
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2022-48728-870d241e",
        "target": {
            "function": "hfi1_ipoib_setup_rn",
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "length": 1114.0,
            "function_hash": "253243245172635566525277703382383442575"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a9bd1e6780fc59f81466ec3489d5ad535a37190",
        "signature_version": "v1",
        "signature_type": "Line",
        "id": "CVE-2022-48728-e12ce94a",
        "target": {
            "file": "drivers/infiniband/hw/hfi1/ipoib_main.c"
        },
        "digest": {
            "line_hashes": [
                "210996282885884573689135299930380624214",
                "137337676099309688355603830552578139810",
                "297378894733851590518544831106403921613",
                "11841102003801101726729024559303483145",
                "332498089753238599614040866166982881986",
                "8573033363363991417677570048922789815",
                "214973427734504575477399018482227822737",
                "55795854909431414019838485346915293376",
                "130869657938083526559964442606520092418",
                "205214953732722132806397917833701072448",
                "295844482843892377903184372977643185420",
                "220536664802959465877049449360159482842",
                "73099564356571421976332327052429016240",
                "86985721094753118515698970725501109386",
                "66147632570679831305609096188110960526",
                "237074240636874636680031879920495464764",
                "28451459119698457200317003744989048122",
                "269120757955929073331280389709109261933",
                "203245714865969760125340750198331045201",
                "69111544407246775822075464572946068494",
                "149367584246250211891008414971264376520",
                "133592269407676558961816939074962609567",
                "23157426110058310713063023283393999737",
                "84903473063537889890384935239174386659",
                "128219272329025836070011879769976295237"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.10.99
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.22
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.8