CVE-2022-48884 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix command stats access after free
Command may fail while driver is reloading and can't accept FW commands till command interface is reinitialized. Such command failure is being logged to command stats. This results in NULL pointer access as command stats structure is being freed and reallocated during mlx5 devlink reload (see kernel log below).
Fix it by making command stats statically allocated on driver probe.
Kernel log: [ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0
[ 2394.810610] PGD 0 P4D 0
[ 2394.811811] Oops: 0002 [#1] SMP NOPTI
... [ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0
... [ 2394.829505] Call Trace:
[ 2394.830667] _raw_spin_lock_irq+0x23/0x26
[ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core]
[ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core]
[ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]
[ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]
[ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0
[ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100
[ 2394.838663] ? __rtnl_unlock+0x25/0x50
[ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150
[ 2394.840862] duplex_show+0x6e/0xc0
[ 2394.841963] dev_attr_show+0x1c/0x40
[ 2394.843048] sysfs_kf_seq_show+0x9b/0x100
[ 2394.844123] seq_read+0x153/0x410
[ 2394.845187] vfs_read+0x91/0x140
[ 2394.846226] ksys_read+0x4f/0xb0
[ 2394.847234] do_syscall_64+0x5b/0x1a0
[ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability described in CVE-2022-48884 affects the Linux kernel's mlx5 network driver, specifically within the Mellanox ConnectX family of network adapters. This issue arises during driver reload operations when command statistics are accessed after the underlying data structure has been freed and reallocated. The problem manifests as a NULL pointer dereference that can lead to kernel oops and system instability. The vulnerability occurs because the command statistics structure is dynamically allocated and freed during the devlink reload process, but command failure logging operations may still attempt to access this freed memory, creating a race condition between the freeing of resources and ongoing access patterns.
The technical flaw stems from improper memory management during driver lifecycle operations, particularly during device reload procedures. When the mlx5 driver undergoes a reload operation through devlink interface, the command statistics structure gets freed to make way for reallocation. However, if commands fail during this transitional period, the error handling code attempts to log these failures to the command statistics, which has already been freed. This creates a classic use-after-free vulnerability that results in kernel memory corruption and potential system crashes. The kernel log trace shows the failure occurring in the cmd_status_err function within the mlx5_core module, where the driver attempts to acquire a spinlock on what should be valid memory but is actually a freed pointer.
The operational impact of this vulnerability is significant for systems relying on Mellanox network adapters, particularly in environments where dynamic driver reloading is common or where network configuration changes occur frequently. The vulnerability can cause system crashes, leading to service disruption and potential data loss. Attackers could potentially exploit this vulnerability to cause denial of service conditions, especially in high-availability systems where network reliability is critical. The issue is particularly concerning in data center environments where Mellanox adapters are widely deployed and where driver reloads might occur during maintenance windows or automatic updates. The vulnerability affects the stability of the entire kernel subsystem managing network device operations and can propagate through the system's network stack.
The fix implemented addresses this issue by making the command statistics structure statically allocated during driver initialization rather than dynamically allocating and freeing it during runtime operations. This approach eliminates the race condition between memory deallocation and access attempts, ensuring that the statistics structure remains valid throughout the driver's operational lifetime. This solution aligns with security best practices for kernel memory management and follows the principle of avoiding dynamic allocation in contexts where resource lifetimes are difficult to guarantee. The fix also corresponds to CWE-416, which addresses use-after-free vulnerabilities, and relates to ATT&CK technique T1499.001, which involves network denial of service attacks that can be facilitated by kernel-level vulnerabilities. Organizations should prioritize applying this fix to mitigate the risk of system instability and ensure continued network functionality in environments using Mellanox ConnectX adapters.