CVE-2022-50062
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: bgmac: Fix a BUG triggered by wrong bytes_compl<br />
<br />
On one of our machines we got:<br />
<br />
kernel BUG at lib/dynamic_queue_limits.c:27!<br />
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM<br />
CPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1<br />
Hardware name: BRCM XGS iProc<br />
task: ee3415c0 task.stack: ee32a000<br />
PC is at dql_completed+0x168/0x178<br />
LR is at bgmac_poll+0x18c/0x6d8<br />
pc : [] lr : [] psr: 800a0313<br />
sp : ee32be14 ip : 000005ea fp : 00000bd4<br />
r10: ee558500 r9 : c0116298 r8 : 00000002<br />
r7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851<br />
r3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180<br />
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br />
Control: 12c5387d Table: 8e88c04a DAC: 00000051<br />
Process irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)<br />
Stack: (0xee32be14 to 0xee32c000)<br />
be00: ee558520 ee52c100 ef128810<br />
be20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040<br />
be40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040<br />
be60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a<br />
be80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98<br />
bea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8<br />
bec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000<br />
bee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520<br />
bf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900<br />
bf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c<br />
bf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28<br />
bf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70<br />
bf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000<br />
bfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000<br />
bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br />
bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000<br />
[] (dql_completed) from [] (bgmac_poll+0x18c/0x6d8)<br />
[] (bgmac_poll) from [] (net_rx_action+0x1c4/0x494)<br />
[] (net_rx_action) from [] (do_current_softirqs+0x1ec/0x43c)<br />
[] (do_current_softirqs) from [] (__local_bh_enable+0x80/0x98)<br />
[] (__local_bh_enable) from [] (irq_forced_thread_fn+0x84/0x98)<br />
[] (irq_forced_thread_fn) from [] (irq_thread+0x118/0x1c0)<br />
[] (irq_thread) from [] (kthread+0x150/0x158)<br />
[] (kthread) from [] (ret_from_fork+0x14/0x24)<br />
Code: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)<br />
<br />
The issue seems similar to commit 90b3b339364c ("net: hisilicon: Fix a BUG<br />
trigered by wrong bytes_compl") and potentially introduced by commit<br />
b38c83dd0866 ("bgmac: simplify tx ring index handling").<br />
<br />
If there is an RX interrupt between setting ring->end<br />
and netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()<br />
can miscalculate the queue size while called from bgmac_poll().<br />
<br />
The machine which triggered the BUG runs a v4.14 RT kernel - but the issue<br />
seems present in mainline too.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1b7680c6c1f6de9904f1d9b05c952f0c64a03350
- https://git.kernel.org/stable/c/ab2b55bb25db289ba0b68e3d58494476bdb1041d
- https://git.kernel.org/stable/c/ac6d4482f29ab992b605c1b4bd1347f1f679f4e4
- https://git.kernel.org/stable/c/c506c9a97120f43257e9b3ce7b1f9a24eafc3787
- https://git.kernel.org/stable/c/da1421a29d3b8681ba6a7f686bd0b40dda5acaf3