CVE-2022-50135

MEDIUM

Linux Kernel 5.19-5.19.1 - Null Pointer Dereference in rxe_qp_do_cleanup

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL. Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error. The call graph is as below: rxe_create_qp { ... rxe_qp_from_init { ... err1: ... qp->rcq = NULL; <---rcq is set to NULL qp->scq = NULL; <---scq is set to NULL ... } qp_init: rxe_put{ ... rxe_qp_do_cleanup { ... atomic_dec(&qp->scq->num_wq); <--- scq is accessed ... atomic_dec(&qp->rcq->num_wq); <--- rcq is accessed } }

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/8598b9d0a364c1663c96fc0fab9df0d36c809aea

Patch

https://git.kernel.org/stable/c/37da51efe6eaa0560f46803c8c436a48a2084da7

Scores

CVSS v3 5.5

EPSS 0.0018

EPSS Percentile 7.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (8)

linux/Kernel 5.19.0 - 5.19.2linux

Linux/Linux < 5.19

Linux/Linux 4703b4f0d94a5f887297713a2f6c2916a1ef08fd - 37da51efe6eaa0560f46803c8c436a48a2084da7

Linux/Linux 4703b4f0d94a5f887297713a2f6c2916a1ef08fd - 8598b9d0a364c1663c96fc0fab9df0d36c809aea

Linux/Linux 5.19

Linux/Linux 5.19.2 - 5.19.*

Linux/Linux 6.0

linux/linux_kernel 5.19 - 5.19.2

Published Jun 18, 2025

Tracked Since Feb 18, 2026