CVE-2022-50135
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50135
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50135.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50135
- Downstream
- Related
- Published
- 2025-06-18T11:02:59Z
- Modified
- 2025-10-15T01:00:40.773148Z
- Summary
- RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxeqpdo_cleanup
The function rxecreateqp calls rxeqpfrominit. If some error occurs, the error handler of function rxeqpfrominit will set both scq and rcq to NULL.
Then rxecreateqp calls rxeput to handle qp. In the end, rxeqpdocleanup is called by rxeput. rxeqpdocleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error.
The call graph is as below:
rxecreateqp { ... rxeqpfrom_init { ... err1: ... qp->rcq = NULL; <---rcq is set to NULL qp->scq = NULL; <---scq is set to NULL ... }
qpinit: rxeput{ ... rxeqpdocleanup { ... atomicdec(&qp->scq->numwq); <--- scq is accessed ... atomicdec(&qp->rcq->num_wq); <--- rcq is accessed } }
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4703b4f0d94a5f887297713a2f6c2916a1ef08fdFixed8598b9d0a364c1663c96fc0fab9df0d36c809aea
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4703b4f0d94a5f887297713a2f6c2916a1ef08fdFixed37da51efe6eaa0560f46803c8c436a48a2084da7
Affected versions
v5.*
Database specific
{
"vanir_signatures": [
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/sw/rxe/rxe_qp.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"226342261042179374414313169037708310314",
"242176827479330768453633884799693873336",
"72043626323502189326020694097014645299",
"131190699720453133640151297602078896820",
"7015701075104297965115190708391366511",
"69457843410641479038303761456185538170",
"279340280463835208824008327092786105757",
"297953459482672177259543274051963587472",
"200679065833461899764907561691694263577"
],
"threshold": 0.9
},
"id": "CVE-2022-50135-52f6b165",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8598b9d0a364c1663c96fc0fab9df0d36c809aea"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/sw/rxe/rxe_qp.c",
"function": "rxe_qp_do_cleanup"
},
"signature_version": "v1",
"digest": {
"length": 1103.0,
"function_hash": "85596953725648081262643967563417009532"
},
"id": "CVE-2022-50135-605bf6ee",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8598b9d0a364c1663c96fc0fab9df0d36c809aea"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/sw/rxe/rxe_qp.c",
"function": "rxe_qp_do_cleanup"
},
"signature_version": "v1",
"digest": {
"length": 1103.0,
"function_hash": "85596953725648081262643967563417009532"
},
"id": "CVE-2022-50135-d319d988",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@37da51efe6eaa0560f46803c8c436a48a2084da7"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/sw/rxe/rxe_qp.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"226342261042179374414313169037708310314",
"242176827479330768453633884799693873336",
"72043626323502189326020694097014645299",
"131190699720453133640151297602078896820",
"7015701075104297965115190708391366511",
"69457843410641479038303761456185538170",
"279340280463835208824008327092786105757",
"297953459482672177259543274051963587472",
"200679065833461899764907561691694263577"
],
"threshold": 0.9
},
"id": "CVE-2022-50135-e786e556",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@37da51efe6eaa0560f46803c8c436a48a2084da7"
}
]
}