CVE-2022-49223
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49223
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49223.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49223
- Downstream
- Published
- 2025-02-26T01:55:54Z
- Modified
- 2025-10-21T09:32:19.477677Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- cxl/port: Hold port reference until decoder release
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Hold port reference until decoder release
KASAN + DEBUGKOBJECTRELEASE reports a potential use-after-free in cxldecoderrelease() where it goes to reference its parent, a cxlport, to free its id back to port->decoderida.
BUG: KASAN: use-after-free in tocxlport+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379
CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobjectdelayedcleanup Call Trace: <TASK> dumpstacklvl+0x59/0x73 printaddressdescription.constprop.0+0x1f/0x150 ? tocxlport+0x18/0x90 [cxlcore] kasanreport.cold+0x83/0xdf ? tocxlport+0x18/0x90 [cxlcore] tocxlport+0x18/0x90 [cxlcore] cxldecoderrelease+0x2a/0x60 [cxlcore] devicerelease+0x5f/0x100 kobject_cleanup+0x80/0x1c0
The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/49f2dab77a5e1354f5da6ccdc9346a8212697be2
- https://git.kernel.org/stable/c/518bb96367123062b48b0a9842f2864249b565f6
- https://git.kernel.org/stable/c/74be98774dfbc5b8b795db726bd772e735d2edd4
- https://git.kernel.org/stable/c/b0022ca445d5fc4d0c89d15dcd0f855977b22c1d
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced40ba17afdfabb01688c61565dbe02a916241bc05Fixed518bb96367123062b48b0a9842f2864249b565f6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced40ba17afdfabb01688c61565dbe02a916241bc05Fixedb0022ca445d5fc4d0c89d15dcd0f855977b22c1d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced40ba17afdfabb01688c61565dbe02a916241bc05Fixed49f2dab77a5e1354f5da6ccdc9346a8212697be2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced40ba17afdfabb01688c61565dbe02a916241bc05Fixed74be98774dfbc5b8b795db726bd772e735d2edd4
Affected versions
v5.*
v5.13
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74be98774dfbc5b8b795db726bd772e735d2edd4",
"id": "CVE-2022-49223-0187a67f",
"deprecated": false,
"target": {
"function": "cxl_decoder_release",
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 190.0,
"function_hash": "184949549709428652182050181632607069236"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49f2dab77a5e1354f5da6ccdc9346a8212697be2",
"id": "CVE-2022-49223-0b231784",
"deprecated": false,
"target": {
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"99625847498769245767717041243194565912",
"180578019265865061007594361637686053136",
"305065724944873368281596826084358289888",
"168541421599142187368410167724080616843",
"256774140306661272040013417035376056186",
"93542143870594961663905837376129655592",
"339241739164872928739527557501977843369",
"53678571442987489994413230172155007517"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49f2dab77a5e1354f5da6ccdc9346a8212697be2",
"id": "CVE-2022-49223-0f508f8d",
"deprecated": false,
"target": {
"function": "cxl_decoder_release",
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 190.0,
"function_hash": "184949549709428652182050181632607069236"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0022ca445d5fc4d0c89d15dcd0f855977b22c1d",
"id": "CVE-2022-49223-120b3aca",
"deprecated": false,
"target": {
"function": "cxl_decoder_release",
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 190.0,
"function_hash": "184949549709428652182050181632607069236"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@518bb96367123062b48b0a9842f2864249b565f6",
"id": "CVE-2022-49223-31a358db",
"deprecated": false,
"target": {
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"99625847498769245767717041243194565912",
"180578019265865061007594361637686053136",
"305065724944873368281596826084358289888",
"168541421599142187368410167724080616843",
"81160888996921898208435095849106230325",
"148698539667649090167424460440779261139",
"65543983757371966789125081198656053212"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0022ca445d5fc4d0c89d15dcd0f855977b22c1d",
"id": "CVE-2022-49223-369b1f68",
"deprecated": false,
"target": {
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"99625847498769245767717041243194565912",
"180578019265865061007594361637686053136",
"305065724944873368281596826084358289888",
"168541421599142187368410167724080616843",
"256774140306661272040013417035376056186",
"93542143870594961663905837376129655592",
"339241739164872928739527557501977843369",
"53678571442987489994413230172155007517"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49f2dab77a5e1354f5da6ccdc9346a8212697be2",
"id": "CVE-2022-49223-38e8a6f7",
"deprecated": false,
"target": {
"function": "cxl_decoder_alloc",
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 747.0,
"function_hash": "86152051439172279896103040913885293356"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@518bb96367123062b48b0a9842f2864249b565f6",
"id": "CVE-2022-49223-551b9a07",
"deprecated": false,
"target": {
"function": "cxl_decoder_release",
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 190.0,
"function_hash": "184949549709428652182050181632607069236"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74be98774dfbc5b8b795db726bd772e735d2edd4",
"id": "CVE-2022-49223-688c075e",
"deprecated": false,
"target": {
"function": "cxl_decoder_alloc",
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1019.0,
"function_hash": "217436788770895300367712696002382175954"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74be98774dfbc5b8b795db726bd772e735d2edd4",
"id": "CVE-2022-49223-834e109b",
"deprecated": false,
"target": {
"file": "drivers/cxl/core/port.c"
},
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"99625847498769245767717041243194565912",
"180578019265865061007594361637686053136",
"197107951296373861132922292001694773466",
"127904391996218628204500964301577816649",
"256774140306661272040013417035376056186",
"93542143870594961663905837376129655592",
"96242963155928287286163244561039999807",
"108880836588865442481760738081940301180"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0022ca445d5fc4d0c89d15dcd0f855977b22c1d",
"id": "CVE-2022-49223-ddc0e11c",
"deprecated": false,
"target": {
"function": "cxl_decoder_alloc",
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 747.0,
"function_hash": "86152051439172279896103040913885293356"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@518bb96367123062b48b0a9842f2864249b565f6",
"id": "CVE-2022-49223-ff49d591",
"deprecated": false,
"target": {
"function": "cxl_decoder_alloc",
"file": "drivers/cxl/core/bus.c"
},
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1207.0,
"function_hash": "39518428701235621863202642317736300140"
}
}
]