Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-50726

Опубликовано: 24 дек. 2025
Источник: nvd
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix possible use-after-free in async command interface

mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free:

  1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback).
  2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.
  3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up().
  4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds.
  5. mlx5_cmd_cleanup_async_ctx returns.
  6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object.
  7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object.

Fix it by syncing using a comp

Ссылки

EPSS

Процентиль: 7%
0.00026
Низкий

Дефекты

Связанные уязвимости

ubuntu логотип

CVE-2022-50726

ubuntu
около 2 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. M...

debian логотип

CVE-2022-50726

debian
около 2 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: n ...

github логотип

GHSA-gjhx-8fr4-rcc6

github
около 2 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a c...

suse-cvrf логотип

SUSE-SU-2026:0317-1

suse-cvrf
10 дней назад

Security update for the Linux Kernel

EPSS

Процентиль: 7%
0.00026
Низкий

Дефекты