CVE-2022-50002

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50002
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50002.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50002
Downstream
Related
Published
2025-06-18T11:01:02Z
Modified
2025-10-21T11:33:39.267611Z
Summary
net/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: LAG, fix logic over MLX5LAGFLAGNDEVSREADY

Only set MLX5LAGFLAGNDEVSREADY if both netdevices are registered. Doing so guarantees that both ldev->pf[MLX5LAGP0].dev and ldev->pf[MLX5LAGP1].dev have valid pointers when MLX5LAGFLAGNDEVSREADY is set.

The core issue is asymmetry in setting MLX5LAGFLAGNDEVSREADY and clearing it. Setting it is done wrongly when both ldev->pf[MLX5LAGP0].dev and ldev->pf[MLX5LAGP1].dev are set; clearing it is done right when either of ldev->pf[i].netdev is cleared.

Consider the following scenario: 1. PF0 loads and sets ldev->pf[MLX5LAGP0].dev to a valid pointer 2. PF1 loads and sets both ldev->pf[MLX5LAGP1].dev and ldev->pf[MLX5LAGP1].netdev with valid pointers. This results in MLX5LAGFLAGNDEVSREADY is set. 3. PF0 is unloaded before setting dev->pf[MLX5LAGP0].netdev. MLX5LAGFLAGNDEVSREADY remains set.

Further execution of mlx5dobond() will result in null pointer dereference when calling mlx5lagis_multipath()

This patch fixes the following call trace actually encountered:

[ 1293.475195] BUG: kernel NULL pointer dereference, address: 00000000000009a8 [ 1293.478756] #PF: supervisor read access in kernel mode [ 1293.481320] #PF: errorcode(0x0000) - not-present page [ 1293.483686] PGD 0 P4D 0 [ 1293.484434] Oops: 0000 [#1] SMP PTI [ 1293.485377] CPU: 1 PID: 23690 Comm: kworker/u16:2 Not tainted 5.18.0-rc5forupstreammindebug202205051013 #1 [ 1293.488039] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 1293.490836] Workqueue: mlx5lag mlx5dobondwork [mlx5core] [ 1293.492448] RIP: 0010:mlx5lagismultipath+0x5/0x50 [mlx5_core] [ 1293.494044] Code: e8 70 40 ff e0 48 8b 14 24 48 83 05 5c 1a 1b 00 01 e9 19 ff ff ff 48 83 05 47 1a 1b 00 01 eb d7 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 87 a8 09 00 00 48 85 c0 74 26 48 83 05 a7 1b 1b 00 01 41 b8 [ 1293.498673] RSP: 0018:ffff88811b2fbe40 EFLAGS: 00010202 [ 1293.500152] RAX: ffff88818a94e1c0 RBX: ffff888165eca6c0 RCX: 0000000000000000 [ 1293.501841] RDX: 0000000000000001 RSI: ffff88818a94e1c0 RDI: 0000000000000000 [ 1293.503585] RBP: 0000000000000000 R08: ffff888119886740 R09: ffff888165eca73c [ 1293.505286] R10: 0000000000000018 R11: 0000000000000018 R12: ffff88818a94e1c0 [ 1293.506979] R13: ffff888112729800 R14: 0000000000000000 R15: ffff888112729858 [ 1293.508753] FS: 0000000000000000(0000) GS:ffff88852cc40000(0000) knlGS:0000000000000000 [ 1293.510782] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1293.512265] CR2: 00000000000009a8 CR3: 00000001032d4002 CR4: 0000000000370ea0 [ 1293.514001] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1293.515806] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8a66e45859797e5dd77ff17dd37781f99d5f5b9b
Fixed
4c040acf5744e87a7b3490f9ec8bedd0d15c9f29
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8a66e45859797e5dd77ff17dd37781f99d5f5b9b
Fixed
a6e675a66175869b7d87c0e1dd0ddf93e04f8098

Affected versions

v5.*

v5.13
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5

v6.*

v6.0-rc1

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6e675a66175869b7d87c0e1dd0ddf93e04f8098",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
        },
        "deprecated": false,
        "id": "CVE-2022-50002-d328d7b7",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "244836975710970810572247394376218961188",
                "146884441248979059526382081022941525809",
                "80640604009129686690790850908945210196",
                "310391456851284057932879171380286937501"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c040acf5744e87a7b3490f9ec8bedd0d15c9f29",
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
        },
        "deprecated": false,
        "id": "CVE-2022-50002-de5d0504",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "244836975710970810572247394376218961188",
                "146884441248979059526382081022941525809",
                "80640604009129686690790850908945210196",
                "310391456851284057932879171380286937501"
            ]
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.19.6