{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50666", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-09T01:26:45.990Z", "datePublished": "2025-12-09T01:29:16.813Z", "dateUpdated": "2025-12-09T01:29:16.813Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-09T01:29:16.813Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix QP destroy to wait for all references dropped.\n\nDelay QP destroy completion until all siw references to QP are\ndropped. The calling RDMA core will free QP structure after\nsuccessful return from siw_qp_destroy() call, so siw must not\nhold any remaining reference to the QP upon return.\nA use-after-free was encountered in xfstest generic/460, while\ntesting NFSoRDMA. Here, after a TCP connection drop by peer,\nthe triggered siw_cm_work_handler got delayed until after\nQP destroy call, referencing a QP which has already freed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/siw/siw.h", "drivers/infiniband/sw/siw/siw_qp.c", "drivers/infiniband/sw/siw/siw_verbs.c"], "versions": [{"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b", "lessThan": "5c75d608fad58301b63e7d69200c13c3a1d411da", "status": "affected", "versionType": "git"}, {"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b", "lessThan": "74ad141e995a730760b1bcfa14854b7f1057d6bc", "status": "affected", "versionType": "git"}, {"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b", "lessThan": "0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737", "status": "affected", "versionType": "git"}, {"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b", "lessThan": "a3c278807a459e6f50afee6971cabe74cccfb490", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/siw/siw.h", "drivers/infiniband/sw/siw/siw_qp.c", "drivers/infiniband/sw/siw/siw_verbs.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.75", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.17", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.3", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.15.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.19.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5c75d608fad58301b63e7d69200c13c3a1d411da"}, {"url": "https://git.kernel.org/stable/c/74ad141e995a730760b1bcfa14854b7f1057d6bc"}, {"url": "https://git.kernel.org/stable/c/0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737"}, {"url": "https://git.kernel.org/stable/c/a3c278807a459e6f50afee6971cabe74cccfb490"}], "title": "RDMA/siw: Fix QP destroy to wait for all references dropped.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{}