CVE-2022-48745 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Use del_timer_sync in fw reset flow of halting poll

Substitute del_timer() with del_timer_sync() in fw reset polling deactivation flow, in order to prevent a race condition which occurs when del_timer() is called and timer is deactivated while another process is handling the timer interrupt. A situation that led to the following call trace: RIP: 0010:run_timer_softirq+0x137/0x420 recalibrate_cpu_khz+0x10/0x10 ktime_get+0x3e/0xa0 ? sched_clock_cpu+0xb/0xc0 __do_softirq+0xf5/0x2ea irq_exit_rcu+0xc1/0xf0 sysvec_apic_timer_interrupt+0x9e/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability described in CVE-2022-48745 represents a critical race condition within the Linux kernel's Mellanox ConnectX-5 network driver implementation. This issue specifically affects the firmware reset polling mechanism used by the mlx5 driver when managing hardware halting states. The flaw arises from an improper use of timer management functions that creates a window of opportunity for concurrent access violations during the firmware reset process. The vulnerability impacts systems utilizing Mellanox network adapters and can potentially lead to system instability or crashes during critical network operations.

The technical root cause stems from the incorrect usage of del_timer() function instead of del_timer_sync() within the firmware reset flow of the Mellanox driver. When del_timer() is invoked, it attempts to delete a timer without ensuring that any ongoing timer interrupt processing has completed. This creates a race condition where another process may be executing the timer interrupt handler while the timer deletion is in progress, leading to potential memory corruption or invalid memory access patterns. The kernel's timer subsystem maintains a soft interrupt handler called run_timer_softirq that processes expired timers, and when this handler is concurrently executing while del_timer() operates, it can result in accessing freed or improperly managed timer structures.

The operational impact of this vulnerability manifests through a specific call trace that demonstrates the kernel's soft interrupt processing chain being disrupted. The execution path shows the system reaching run_timer_softirq function which then calls recalibrate_cpu_khz followed by ktime_get, indicating that timer processing is interfering with system time calculations and CPU frequency calibration. This disruption occurs during the apic timer interrupt handling where sysvec_apic_timer_interrupt processes the hardware timer interrupt. The race condition can result in system crashes, kernel oops, or unpredictable behavior during firmware reset operations, particularly when multiple processes are accessing the network adapter simultaneously.

This vulnerability maps directly to CWE-362, which describes a race condition in concurrent programming where two or more processes access shared resources without proper synchronization, and aligns with ATT&CK technique T1490, which covers data destruction through system manipulation. The issue represents a fundamental flaw in kernel timer management that could be exploited to cause denial of service conditions or system instability. The problem is particularly concerning in enterprise environments where Mellanox network adapters are commonly deployed in high-throughput scenarios where firmware resets may occur during critical network operations.

The mitigation strategy involves implementing del_timer_sync() instead of del_timer() in the firmware reset polling deactivation flow. This change ensures that any pending timer interrupt processing completes before the timer is deleted, eliminating the race condition. System administrators should update to kernel versions containing this fix, typically available in kernel releases 5.19 and later. Organizations using Mellanox network adapters in production environments should prioritize patching to prevent potential system crashes during firmware reset operations, particularly in high-availability systems where network adapter reliability is critical. The fix represents a standard defensive programming practice that ensures proper synchronization between timer deletion and active interrupt processing, aligning with kernel development best practices for concurrent access control.

Disclosure

06/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00178

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!