CVE-2022-48811 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: don't release napi in __ibmvnic_open()
If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers.
If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset.
This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface:
[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq
[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq
[102056] ibmvnic 30000003 env3: Replenished 8 pools
Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic]
NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37) MSR: 8000000000009033 CR: 28248484 XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0
LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]
Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable)
[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]
[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]
[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570
[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660
[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0
[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]---
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability described in CVE-2022-48811 affects the Linux kernel's IBM Virtual NIC (ibmvnic) driver and represents a critical issue in resource management during network interface initialization. This flaw manifests when the __ibmvnic_open() function encounters errors during link state configuration, leading to improper cleanup of network processing structures. The problem stems from an incorrect sequence of resource deallocation where the function releases NAPI (Network API) structures unnecessarily, causing kernel crashes and potential system instability. The vulnerability specifically impacts systems utilizing IBM PowerVM virtualization environments where the ibmvnic driver manages virtual network interfaces through the device driver manager (drmgr) commands.
The technical root cause of this vulnerability lies in the improper handling of resource cleanup within the network driver's open function. When __ibmvnic_open() fails during link state setup, it invokes release_resources() which performs premature cleanup of NAPI structures that should remain intact for proper operation. This behavior creates a NULL pointer dereference scenario when subsequent operations attempt to access these already-released structures. The crash occurs at instruction address 0xc000000000a3c840 within the napi_enable function, indicating that the kernel attempts to read from a user page at address 0x10, which triggers a kernel NULL pointer dereference. The stack trace reveals that the call sequence originates from __ibmvnic_reset function, demonstrating how the improper cleanup propagates through the driver's reset mechanism.
This vulnerability directly maps to CWE-476, which describes NULL pointer dereference conditions in software systems, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution that could be exploited through kernel-level crashes. The operational impact extends beyond simple system crashes to include potential denial of service conditions where virtual network interfaces become permanently unavailable. The issue is particularly dangerous in virtualized environments where multiple vNIC interfaces are managed dynamically through drmgr commands, as repeated operations can trigger the crash cycle. Attackers could potentially exploit this vulnerability to cause system instability or force kernel panics, disrupting network services in virtualized server environments.
The fix implemented addresses the resource management flow by modifying __ibmvnic_open() to only clean up resources that it has actually allocated, rather than releasing all structures including NAPI components that should persist. This change ensures that when __ibmvnic_open() fails, it properly disables NAPI and interrupts but preserves the structural integrity of the network processing components. The corrected approach allows different callers to handle resource cleanup appropriately - ibmvnic_open() immediately releases resources while do_reset() and do_hard_reset() defer cleanup until the next reset cycle. This solution prevents the kernel from attempting to access freed NAPI structures and eliminates the NULL pointer dereference that led to system crashes. The mitigation strategy aligns with best practices for kernel module development, ensuring proper resource lifecycle management and preventing improper cleanup operations that could lead to system instability.