Bug 2363363 (CVE-2022-49925) - CVE-2022-49925 kernel: RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
Summary: CVE-2022-49925 kernel: RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
Keywords:
Status: NEW
Alias: CVE-2022-49925
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-01 15:01 UTC by OSIDB Bzimport
Modified: 2025-05-02 06:59 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-01 15:01:30 UTC 
In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Fix null-ptr-deref in ib_core_cleanup()

KASAN reported a null-ptr-deref error:

  KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
  CPU: 1 PID: 379
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
  RIP: 0010:destroy_workqueue+0x2f/0x740
  RSP: 0018:ffff888016137df8 EFLAGS: 00000202
  ...
  Call Trace:
   ib_core_cleanup+0xa/0xa1 [ib_core]
   __do_sys_delete_module.constprop.0+0x34f/0x5b0
   do_syscall_64+0x3a/0x90
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0033:0x7fa1a0d221b7
  ...

It is because the fail of roce_gid_mgmt_init() is ignored:

 ib_core_init()
   roce_gid_mgmt_init()
     gid_cache_wq = alloc_ordered_workqueue # fail
 ...
 ib_core_cleanup()
   roce_gid_mgmt_cleanup()
     destroy_workqueue(gid_cache_wq)
     # destroy an unallocated wq

Fix this by catching the fail of roce_gid_mgmt_init() in ib_core_init().
Comment 1 Avinash Hanwate 2025-05-02 04:04:37 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050110-CVE-2022-49925-2485@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.