CVE-2022-49931 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Correctly move list in sc_disable()
Commit 13bac861952a ("IB/hfi1: Fix abba locking issue with sc_disable()") incorrectly tries to move a list from one list head to another. The result is a kernel crash.
The crash is triggered when a link goes down and there are waiters for a send to complete. The following signature is seen:
BUG: kernel NULL pointer dereference, address: 0000000000000030 [...]
Call Trace: sc_disable+0x1ba/0x240 [hfi1]
pio_freeze+0x3d/0x60 [hfi1]
handle_freeze+0x27/0x1b0 [hfi1]
process_one_work+0x1b0/0x380 ? process_one_work+0x380/0x380 worker_thread+0x30/0x360 ? process_one_work+0x380/0x380 kthread+0xd7/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30
The fix is to use the correct call to move the list.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability CVE-2022-49931 represents a critical kernel NULL pointer dereference in the Linux kernel's InfiniBand hardware driver hfi1 module. This flaw occurs within the sc_disable() function where an improper list manipulation operation leads to system crashes. The issue stems from commit 13bac861952a which attempted to address an ABBA locking issue but introduced a regression by incorrectly moving list elements between list heads. The kernel's memory management system encounters a NULL pointer access at address 0x0000000000000030, indicating a fundamental failure in list handling operations that should have been properly validated. This vulnerability specifically manifests when network link down events occur while there are pending send operations waiting for completion, creating a race condition scenario where list structures become corrupted during the disable process.
The technical implementation flaw involves improper list manipulation within the kernel's device driver framework, specifically in the context of InfiniBand hardware communication. The sc_disable() function is responsible for disabling send contexts and managing associated list operations, but the erroneous implementation fails to properly handle list head movements. This error violates standard kernel programming practices for list management and demonstrates a failure in proper synchronization mechanisms. The crash occurs through a well-defined call trace that begins with sc_disable() and progresses through pio_freeze(), handle_freeze(), and ultimately into the worker thread processing system, indicating a cascading failure that propagates through multiple kernel subsystems. The NULL pointer dereference at offset 0x30 suggests that the kernel attempted to access a structure member that should have been properly initialized but was instead left as a NULL reference due to the faulty list operation.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise network reliability in high-performance computing environments that rely on InfiniBand infrastructure. Systems utilizing the hfi1 driver for high-speed data communication may experience unexpected termination when network link events occur, leading to service disruption and potential data loss. The vulnerability affects enterprise and research computing clusters where InfiniBand interconnects are commonly deployed for low-latency communication between compute nodes. The timing of the crash during link down events suggests that this vulnerability could be exploited by malicious actors to cause denial-of-service conditions, particularly in environments where network reliability is critical. The issue demonstrates a failure in kernel security model implementation where proper bounds checking and list validation mechanisms were not applied during the fix for the original ABBA locking problem.
The fix for CVE-2022-49931 requires reverting to proper list manipulation functions that correctly handle list head movements without causing memory corruption. This remediation addresses the underlying CWE-476 NULL pointer dereference issue and aligns with proper kernel development practices for list management operations. The solution must ensure that all list operations maintain proper integrity and that no dangling references are left in memory structures. Organizations should prioritize patching this vulnerability as it represents a direct threat to system stability in environments using InfiniBand hardware. The fix demonstrates the importance of thorough regression testing when addressing security issues, as the attempt to fix one problem inadvertently introduced a more serious crash condition. This vulnerability highlights the complexity of kernel-level programming where seemingly simple operations can have cascading effects throughout the system, emphasizing the need for comprehensive testing and validation of all kernel modifications. The remediation process should include verification that list operations maintain proper synchronization and that no memory corruption occurs during concurrent access scenarios typical in high-performance computing environments.