CVE-2022-48726
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48726
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48726.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48726
- Downstream
- Related
- Published
- 2024-06-20T11:13:15Z
- Modified
- 2025-10-21T08:08:18.898530Z
- Summary
- RDMA/ucma: Protect mc during concurrent multicast leaves
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ucma: Protect mc during concurrent multicast leaves
Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked.
BUG: KASAN: use-after-free in ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 _kasanreport mm/kasan/report.c:433 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:450 ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucmadestroyid+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucmawrite+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xae0 fs/readwrite.c:588 ksyswrite+0x1ee/0x250 fs/readwrite.c:643 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae
Currently the xarray search can touch a concurrently freeing mc as the xaforeach() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2923948ffe0835f7114e948b35bcc42bc9b3baa1
- https://git.kernel.org/stable/c/36e8169ec973359f671f9ec7213547059cae972e
- https://git.kernel.org/stable/c/75c610212b9f1756b9384911d3a2c347eee8031c
- https://git.kernel.org/stable/c/ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed75c610212b9f1756b9384911d3a2c347eee8031c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed2923948ffe0835f7114e948b35bcc42bc9b3baa1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixedee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced95fe51096b7adf1d1e7315c49c75e2f75f162584Fixed36e8169ec973359f671f9ec7213547059cae972e
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.17-rc1
v5.9
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"id": "CVE-2022-48726-3ab46a25",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_alloc_ctx",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"id": "CVE-2022-48726-717d5fc8",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_cleanup_multicast",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"id": "CVE-2022-48726-7b051366",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_leave_multicast",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"id": "CVE-2022-48726-883d9e56",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_leave_multicast",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 1056.0,
"function_hash": "279568564441437086113708784552762738620"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"id": "CVE-2022-48726-8dba040d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_process_join",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"id": "CVE-2022-48726-af5c96ad",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_cleanup_multicast",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 226.0,
"function_hash": "53043868946418596090555698912593938965"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"id": "CVE-2022-48726-b35f5336",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_alloc_ctx",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 430.0,
"function_hash": "90649344114687098919317332722134091840"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
"id": "CVE-2022-48726-c136f1e3",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"id": "CVE-2022-48726-cb0d45a2",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"109461504352215854073198901161384241889",
"288726256777328272187354886718745586438",
"200250874721577587199394947227316510004",
"313701977852333943205581975620485558880",
"92291237538396318292327494512074061608",
"167218098908831743650246764445606497792",
"263902275510144973335104387070501515074",
"4974593048297909754802696970034792927",
"232635322623969211241478830205735473616",
"151457581941818207427903733777720132877",
"114192607055221158996784455211819806995",
"190396113834059664737473640629392315932",
"290955844275290609860548797460743593845",
"69735046602438382638409611678684010313",
"209958123025787519797633615901813065974",
"57734373900869511363302404063293141160",
"250417513233593141096139078185704194287",
"177692640394286657622374179518766033678",
"96976455853893181446834946458350381899",
"235549892122639332156341491243909777318",
"197069940523379094769121065790279883317",
"22589900548797604645165449996487914396",
"191399223218663432210889543800943540835",
"137111056718391886871679457159522681379",
"238924488921479172433341554053150839306",
"184165841024792829907013642762769852636",
"33674481425854804341786637674584833004",
"211466973986514052025697427219225047111",
"273417656657593365123318182525659988167",
"57778572093948604544176605927054906722",
"138770761923554715709351683409118825063",
"133202268855943196729363623545542995404",
"238218874393727184158550720333780150125",
"65192443627289154674207746244929180756",
"17528980807616413257512608504798605685",
"2957149270164045820900206031840594349",
"318456537538170701615314832555230762358",
"98935767764309814114456300828940357196",
"112886967645980396806047999494327290749",
"82211058569561722217425376055303813112",
"89619088560109744268529998633705901770",
"22986447025974306963463147206017069820",
"123987136969086626660165237984671847825",
"162367003090114702087781068548349405908",
"305246074710580288651162210853562743555",
"98578990322977724427742674549766384668"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a",
"id": "CVE-2022-48726-f992625a",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ucma_process_join",
"file": "drivers/infiniband/core/ucma.c"
},
"signature_type": "Function",
"digest": {
"length": 1670.0,
"function_hash": "207430315606732822852992155948179578125"
}
}
]