cve/published/2022/CVE-2022-49930.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49930: RDMA/hns: Fix NULL pointer problem in free_mr_init()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/hns: Fix NULL pointer problem in free_mr_init()

 Lock grab occurs in a concurrent scenario, resulting in stepping on a NULL
 pointer.  It should be init mutex_init() first before use the lock.

   Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
   Call trace:
    __mutex_lock.constprop.0+0xd0/0x5c0
    __mutex_lock_slowpath+0x1c/0x2c
    mutex_lock+0x44/0x50
    free_mr_send_cmd_to_hw+0x7c/0x1c0 [hns_roce_hw_v2]
    hns_roce_v2_dereg_mr+0x30/0x40 [hns_roce_hw_v2]
    hns_roce_dereg_mr+0x4c/0x130 [hns_roce_hw_v2]
    ib_dereg_mr_user+0x54/0x124
    uverbs_free_mr+0x24/0x30
    destroy_hw_idr_uobject+0x38/0x74
    uverbs_destroy_uobject+0x48/0x1c4
    uobj_destroy+0x74/0xcc
    ib_uverbs_cmd_verbs+0x368/0xbb0
    ib_uverbs_ioctl+0xec/0x1a4
    __arm64_sys_ioctl+0xb4/0x100
    invoke_syscall+0x50/0x120
    el0_svc_common.constprop.0+0x58/0x190
    do_el0_svc+0x30/0x90
    el0_svc+0x2c/0xb4
    el0t_64_sync_handler+0x1a4/0x1b0
    el0t_64_sync+0x19c/0x1a0

 The Linux kernel CVE team has assigned CVE-2022-49930 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 70f92521584f1d1e8268311ee84413307b0fdea8 and fixed in 6.0.8 with commit 0e23e85d86b78e734dd6654f1b69fbaeb5534c81
 	Issue introduced in 5.18 with commit 70f92521584f1d1e8268311ee84413307b0fdea8 and fixed in 6.1 with commit 12bcaf87d8b66d8cd812479c8a6349dcb245375c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49930
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/hns/hns_roce_hw_v2.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0e23e85d86b78e734dd6654f1b69fbaeb5534c81
 	https://git.kernel.org/stable/c/12bcaf87d8b66d8cd812479c8a6349dcb245375c
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49930: RDMA/hns: Fix NULL pointer problem in free_mr_init()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/hns: Fix NULL pointer problem in free_mr_init()

	Lock grab occurs in a concurrent scenario, resulting in stepping on a NULL
	pointer. It should be init mutex_init() first before use the lock.

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
	Call trace:
	__mutex_lock.constprop.0+0xd0/0x5c0
	__mutex_lock_slowpath+0x1c/0x2c
	mutex_lock+0x44/0x50
	free_mr_send_cmd_to_hw+0x7c/0x1c0 [hns_roce_hw_v2]
	hns_roce_v2_dereg_mr+0x30/0x40 [hns_roce_hw_v2]
	hns_roce_dereg_mr+0x4c/0x130 [hns_roce_hw_v2]
	ib_dereg_mr_user+0x54/0x124
	uverbs_free_mr+0x24/0x30
	destroy_hw_idr_uobject+0x38/0x74
	uverbs_destroy_uobject+0x48/0x1c4
	uobj_destroy+0x74/0xcc
	ib_uverbs_cmd_verbs+0x368/0xbb0
	ib_uverbs_ioctl+0xec/0x1a4
	__arm64_sys_ioctl+0xb4/0x100
	invoke_syscall+0x50/0x120
	el0_svc_common.constprop.0+0x58/0x190
	do_el0_svc+0x30/0x90
	el0_svc+0x2c/0xb4
	el0t_64_sync_handler+0x1a4/0x1b0
	el0t_64_sync+0x19c/0x1a0

	The Linux kernel CVE team has assigned CVE-2022-49930 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 70f92521584f1d1e8268311ee84413307b0fdea8 and fixed in 6.0.8 with commit 0e23e85d86b78e734dd6654f1b69fbaeb5534c81
	Issue introduced in 5.18 with commit 70f92521584f1d1e8268311ee84413307b0fdea8 and fixed in 6.1 with commit 12bcaf87d8b66d8cd812479c8a6349dcb245375c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49930
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/hns/hns_roce_hw_v2.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0e23e85d86b78e734dd6654f1b69fbaeb5534c81
	https://git.kernel.org/stable/c/12bcaf87d8b66d8cd812479c8a6349dcb245375c