github - ghsa-gjhx-8fr4-rcc6

GHSA-GJHX-8FR4-RCC6

Vulnerability from github – Published: 2025-12-24 15:30 – Updated: 2025-12-24 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix possible use-after-free in async command interface

mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free:

mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback).
mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.
mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up().
mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds.
mlx5_cmd_cleanup_async_ctx returns.
The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object.
mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object.

Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0.

Trace:

BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0

CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb

Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50726"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:15:59Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix possible use-after-free in async command interface\n\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\n   elevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\n   is about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\n   immediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\n   object.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\n   object.\n\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\n\nTrace:\n\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\n\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x57/0x7d\n print_report.cold+0x2d5/0x684\n ? do_raw_spin_lock+0x23d/0x270\n kasan_report+0xb1/0x1a0\n ? do_raw_spin_lock+0x23d/0x270\n do_raw_spin_lock+0x23d/0x270\n ? rwlock_bug.part.0+0x90/0x90\n ? __delete_object+0xb8/0x100\n ? lock_downgrade+0x6e0/0x6e0\n _raw_spin_lock_irqsave+0x43/0x60\n ? __wake_up_common_lock+0xb9/0x140\n __wake_up_common_lock+0xb9/0x140\n ? __wake_up_common+0x650/0x650\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kasan_set_track+0x21/0x30\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kfree+0x1ba/0x520\n ? do_raw_spin_unlock+0x54/0x220\n mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n ? dump_command+0xcc0/0xcc0 [mlx5_core]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n ? irq_release+0x140/0x140 [mlx5_core]\n irq_int_handler+0x19/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x1f2/0x620\n handle_irq_event+0xb2/0x1d0\n handle_edge_irq+0x21e/0xb00\n __common_interrupt+0x79/0x1a0\n common_interrupt+0x78/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 \u003cc3\u003e 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n ? default_idle_call+0xcc/0x450\n default_idle_call+0xec/0x450\n do_idle+0x394/0x450\n ? arch_cpu_idle_exit+0x40/0x40\n ? do_idle+0x17/0x450\n cpu_startup_entry+0x19/0x20\n start_secondary+0x221/0x2b0\n ? set_cpu_sibling_map+0x2070/0x2070\n secondary_startup_64_no_verify+0xcd/0xdb\n \u003c/TASK\u003e\n\nAllocated by task 49502:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n kvmalloc_node+0x48/0xe0\n mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\n mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\n mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\n mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\n mlx5e_detach_netdev+0x1c\n---truncated---",
  "id": "GHSA-gjhx-8fr4-rcc6",
  "modified": "2025-12-24T15:30:32Z",
  "published": "2025-12-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50726"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50726 (GCVE-0-2022-50726)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

net/mlx5: Fix possible use-after-free in async command interface

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/69dd3ad406c49aa69…
	https://git.kernel.org/stable/c/bbcc06933f3565129…
	https://git.kernel.org/stable/c/ab3de780c176bb919…
	https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5d…
	https://git.kernel.org/stable/c/bacd22df95147ed67…

Impacted products

Vendor

Product

Version

Linux

Affected: e355477ed9e4f401e3931043df97325d38552d54 , < 69dd3ad406c49aa69ce4852c15231ac56af8caf9 (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bbcc06933f35651294ea1e963757502312c2171f (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < ab3de780c176bb91995c6166a576b370d9726e17 (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < 0aa3ee1e4e5c9ed5dda11249450d609c3072c54e (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bacd22df95147ed673bec4692ab2d4d585935241 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.4.223 , ≤ 5.4.* (semver)
Unaffected: 5.10.153 , ≤ 5.10.* (semver)
Unaffected: 5.15.77 , ≤ 5.15.* (semver)
Unaffected: 6.0.7 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69dd3ad406c49aa69ce4852c15231ac56af8caf9",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "bbcc06933f35651294ea1e963757502312c2171f",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "ab3de780c176bb91995c6166a576b370d9726e17",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "0aa3ee1e4e5c9ed5dda11249450d609c3072c54e",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "bacd22df95147ed673bec4692ab2d4d585935241",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.223",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.153",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.77",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.7",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix possible use-after-free in async command interface\n\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\n   elevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\n   is about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\n   immediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\n   object.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\n   object.\n\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\n\nTrace:\n\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\n\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x57/0x7d\n print_report.cold+0x2d5/0x684\n ? do_raw_spin_lock+0x23d/0x270\n kasan_report+0xb1/0x1a0\n ? do_raw_spin_lock+0x23d/0x270\n do_raw_spin_lock+0x23d/0x270\n ? rwlock_bug.part.0+0x90/0x90\n ? __delete_object+0xb8/0x100\n ? lock_downgrade+0x6e0/0x6e0\n _raw_spin_lock_irqsave+0x43/0x60\n ? __wake_up_common_lock+0xb9/0x140\n __wake_up_common_lock+0xb9/0x140\n ? __wake_up_common+0x650/0x650\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kasan_set_track+0x21/0x30\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kfree+0x1ba/0x520\n ? do_raw_spin_unlock+0x54/0x220\n mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n ? dump_command+0xcc0/0xcc0 [mlx5_core]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n ? irq_release+0x140/0x140 [mlx5_core]\n irq_int_handler+0x19/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x1f2/0x620\n handle_irq_event+0xb2/0x1d0\n handle_edge_irq+0x21e/0xb00\n __common_interrupt+0x79/0x1a0\n common_interrupt+0x78/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 \u003cc3\u003e 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n ? default_idle_call+0xcc/0x450\n default_idle_call+0xec/0x450\n do_idle+0x394/0x450\n ? arch_cpu_idle_exit+0x40/0x40\n ? do_idle+0x17/0x450\n cpu_startup_entry+0x19/0x20\n start_secondary+0x221/0x2b0\n ? set_cpu_sibling_map+0x2070/0x2070\n secondary_startup_64_no_verify+0xcd/0xdb\n \u003c/TASK\u003e\n\nAllocated by task 49502:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n kvmalloc_node+0x48/0xe0\n mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\n mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\n mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\n mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\n mlx5e_detach_netdev+0x1c\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:47.625Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241"
        }
      ],
      "title": "net/mlx5: Fix possible use-after-free in async command interface",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50726",
    "datePublished": "2025-12-24T12:22:47.625Z",
    "dateReserved": "2025-12-24T12:20:40.330Z",
    "dateUpdated": "2025-12-24T12:22:47.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-GJHX-8FR4-RCC6

CVE-2022-50726 (GCVE-0-2022-50726)

Tags

Sightings

Nomenclature