2420334 – (CVE-2022-50666) CVE-2022-50666 kernel: RDMA/siw: Fix QP destroy to wait for all references dropped

Bug 2420334 (CVE-2022-50666) - CVE-2022-50666 kernel: RDMA/siw: Fix QP destroy to wait for all references dropped

Summary: CVE-2022-50666 kernel: RDMA/siw: Fix QP destroy to wait for all references dr...

Keywords:
Status:	NEW
Alias:	CVE-2022-50666
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-09 02:03 UTC by OSIDB Bzimport
Modified:	2025-12-16 00:34 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-09 02:03:43 UTC

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix QP destroy to wait for all references dropped.

Delay QP destroy completion until all siw references to QP are
dropped. The calling RDMA core will free QP structure after
successful return from siw_qp_destroy() call, so siw must not
hold any remaining reference to the QP upon return.
A use-after-free was encountered in xfstest generic/460, while
testing NFSoRDMA. Here, after a TCP connection drop by peer,
the triggered siw_cm_work_handler got delayed until after
QP destroy call, referencing a QP which has already freed.

Comment 1 Alexander B 2025-12-09 19:52:15 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120944-CVE-2022-50666-0d75@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.