CVE-2022-49869 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
During the error recovery sequence, the rtnl_lock is not held for the entire duration and some datastructures may be freed during the sequence. Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure that the device is fully operational before proceeding to reconfigure the coalescing settings.
This will fix a possible crash like this:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI
CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019 RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]
Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6 RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5 RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28 RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0 FS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ethnl_set_coalesce+0x3ce/0x4c0 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? coalesce_fill_reply+0x480/0x480 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? syscall_trace_enter+0x1d3/0x2c0 ? __audit_syscall_exit+0x249/0x2a0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f38524163bb
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/15/2025
The vulnerability described in CVE-2022-49869 affects the Linux kernel's bnxt_en driver, which manages Broadcom network adapters. This issue manifests as a potential kernel crash occurring during the error recovery sequence when handling coalescing configuration changes through the bnxt_hwrm_set_coal() function. The root cause stems from improper locking mechanisms and state validation during device reconfiguration, creating a race condition that can lead to NULL pointer dereferences and system instability.
The technical flaw arises from the driver's insufficient handling of the rtnl_lock during error recovery operations. When the network device enters an error recovery state, the driver fails to maintain the rtnl_lock for the complete duration of the recovery sequence. This allows other kernel threads to potentially free or modify critical data structures while the bnxt_hwrm_set_coal() function attempts to access them, resulting in a NULL pointer dereference at address zero. The crash occurs when the function tries to access a freed network device structure, as evidenced by the kernel oops trace showing RIP pointing to the bnxt_hwrm_set_coal function.
This vulnerability has significant operational impact as it can cause system crashes and service interruptions in environments relying on Broadcom network adapters. The crash typically occurs when tools like ethtool attempt to modify coalescing parameters during network device operations, particularly in scenarios involving error recovery. The issue affects systems running kernel versions where this specific fix has not been applied, potentially compromising network reliability and system stability. The vulnerability is classified under CWE-476 as a NULL pointer dereference, representing a fundamental memory safety issue in kernel space operations.
The fix implemented addresses the race condition by replacing the netif_running() check with a BNXT_STATE_OPEN flag verification. This ensures that the device is fully operational and that all required data structures remain valid before proceeding with coalescing configuration changes. The solution follows established kernel development practices for state management and synchronization, preventing premature access to potentially freed resources during device recovery sequences. Organizations should apply the relevant kernel patches to mitigate this vulnerability and maintain network infrastructure stability. The fix aligns with ATT&CK technique T1499.001 for Network Denial of Service, as it prevents system crashes that could be exploited to disrupt network services.