In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Correctly move list in sc_disable()
Commit 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()") incorrectly tries to move a list from one list head to another. The result is a kernel crash.
The crash is triggered when a link goes down and there are waiters for a send to complete. The following signature is seen:
BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] Call Trace: scdisable+0x1ba/0x240 [hfi1] piofreeze+0x3d/0x60 [hfi1] handlefreeze+0x27/0x1b0 [hfi1] processonework+0x1b0/0x380 ? processonework+0x380/0x380 workerthread+0x30/0x360 ? processonework+0x380/0x380 kthread+0xd7/0x100 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x1f/0x30
The fix is to use the correct call to move the list.
{ "vanir_signatures": [ { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c" }, "id": "CVE-2022-49931-19a39d76", "digest": { "line_hashes": [ "169058833956044136832028991944334317293", "41399799742208005752127860946232990534", "182029559218215763534172523626842119947", "156652612923908311131509698024203170373", "265361805520359378120386553153351477070" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c4260f8f188df32414a5ecad63e8b934c2aa3f0" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c", "function": "sc_disable" }, "id": "CVE-2022-49931-29be3815", "digest": { "length": 1286.0, "function_hash": "270800319058777355057330736531587040685" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ba95409d6b580501ff6d78efd00064f7df669926" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c" }, "id": "CVE-2022-49931-2fc17c73", "digest": { "line_hashes": [ "169058833956044136832028991944334317293", "41399799742208005752127860946232990534", "182029559218215763534172523626842119947", "156652612923908311131509698024203170373", "265361805520359378120386553153351477070" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1afac08b39d85437187bb2a92d89a741b1078f55" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c", "function": "sc_disable" }, "id": "CVE-2022-49931-3deeff40", "digest": { "length": 1286.0, "function_hash": "270800319058777355057330736531587040685" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c4260f8f188df32414a5ecad63e8b934c2aa3f0" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c" }, "id": "CVE-2022-49931-6a8e9604", "digest": { "line_hashes": [ "169058833956044136832028991944334317293", "41399799742208005752127860946232990534", "182029559218215763534172523626842119947", "156652612923908311131509698024203170373", "265361805520359378120386553153351477070" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ba95409d6b580501ff6d78efd00064f7df669926" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c", "function": "sc_disable" }, "id": "CVE-2022-49931-74f09917", "digest": { "length": 1286.0, "function_hash": "270800319058777355057330736531587040685" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8bcff99b07cc175a6ee12a52db51cdd2229586c" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c", "function": "sc_disable" }, "id": "CVE-2022-49931-859e9701", "digest": { "length": 1286.0, "function_hash": "270800319058777355057330736531587040685" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25760a41e3802f54aadcc31385543665ab349b8e" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c", "function": "sc_disable" }, "id": "CVE-2022-49931-a1fc0375", "digest": { "length": 1286.0, "function_hash": "270800319058777355057330736531587040685" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1afac08b39d85437187bb2a92d89a741b1078f55" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c" }, "id": "CVE-2022-49931-ad507f9a", "digest": { "line_hashes": [ "169058833956044136832028991944334317293", "41399799742208005752127860946232990534", "182029559218215763534172523626842119947", "156652612923908311131509698024203170373", "265361805520359378120386553153351477070" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25760a41e3802f54aadcc31385543665ab349b8e" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/infiniband/hw/hfi1/pio.c" }, "id": "CVE-2022-49931-e6f8e010", "digest": { "line_hashes": [ "169058833956044136832028991944334317293", "41399799742208005752127860946232990534", "182029559218215763534172523626842119947", "156652612923908311131509698024203170373", "265361805520359378120386553153351477070" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8bcff99b07cc175a6ee12a52db51cdd2229586c" } ] }