CVE-2022-50174 (GCVE-0-2022-50174)
Vulnerability from cvelistv5
Published
2025-06-18 11:03
Modified
2025-06-18 11:03
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: hinic: avoid kernel hung in hinic_get_stats64() When using hinic device as a bond slave device, and reading device stats of master bond device, the kernel may hung. The kernel panic calltrace as follows: Kernel panic - not syncing: softlockup: hung tasks Call trace: native_queued_spin_lock_slowpath+0x1ec/0x31c dev_get_stats+0x60/0xcc dev_seq_printf_stats+0x40/0x120 dev_seq_show+0x1c/0x40 seq_read_iter+0x3c8/0x4dc seq_read+0xe0/0x130 proc_reg_read+0xa8/0xe0 vfs_read+0xb0/0x1d4 ksys_read+0x70/0xfc __arm64_sys_read+0x20/0x30 el0_svc_common+0x88/0x234 do_el0_svc+0x2c/0x90 el0_svc+0x1c/0x30 el0_sync_handler+0xa8/0xb0 el0_sync+0x148/0x180 And the calltrace of task that actually caused kernel hungs as follows: __switch_to+124 __schedule+548 schedule+72 schedule_timeout+348 __down_common+188 __down+24 down+104 hinic_get_stats64+44 [hinic] dev_get_stats+92 bond_get_stats+172 [bonding] dev_get_stats+92 dev_seq_printf_stats+60 dev_seq_show+24 seq_read_iter+964 seq_read+220 proc_reg_read+164 vfs_read+172 ksys_read+108 __arm64_sys_read+28 el0_svc_common+132 do_el0_svc+40 el0_svc+24 el0_sync_handler+164 el0_sync+324 When getting device stats from bond, kernel will call bond_get_stats(). It first holds the spinlock bond->stats_lock, and then call hinic_get_stats64() to collect hinic device's stats. However, hinic_get_stats64() calls `down(&nic_dev->mgmt_lock)` to protect its critical section, which may schedule current task out. And if system is under high pressure, the task cannot be woken up immediately, which eventually triggers kernel hung panic. Since previous patch has replaced hinic_dev.tx_stats/rx_stats with local variable in hinic_get_stats64(), there is nothing need to be protected by lock, so just removing down()/up() is ok.
References
Impacted products
Vendor Product Version
Linux Linux Version: edd384f682cc2981420628b769a1929db680f02f
Version: edd384f682cc2981420628b769a1929db680f02f
Version: edd384f682cc2981420628b769a1929db680f02f
Version: edd384f682cc2981420628b769a1929db680f02f
Version: edd384f682cc2981420628b769a1929db680f02f
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/huawei/hinic/hinic_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e74f3097a9c713ce855cda07713393bcc23a005d",
              "status": "affected",
              "version": "edd384f682cc2981420628b769a1929db680f02f",
              "versionType": "git"
            },
            {
              "lessThan": "693f31dc91568e61047fd2980a8235e856cd9ce8",
              "status": "affected",
              "version": "edd384f682cc2981420628b769a1929db680f02f",
              "versionType": "git"
            },
            {
              "lessThan": "fced5bce712122654ec8a20356342698cce104d2",
              "status": "affected",
              "version": "edd384f682cc2981420628b769a1929db680f02f",
              "versionType": "git"
            },
            {
              "lessThan": "3ba59bbe4f306bb6ee15753db0a40564c0eb7909",
              "status": "affected",
              "version": "edd384f682cc2981420628b769a1929db680f02f",
              "versionType": "git"
            },
            {
              "lessThan": "98f9fcdee35add80505b6c73f72de5f750d5c03c",
              "status": "affected",
              "version": "edd384f682cc2981420628b769a1929db680f02f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/huawei/hinic/hinic_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.137",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.137",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.61",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.18",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.2",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: avoid kernel hung in hinic_get_stats64()\n\nWhen using hinic device as a bond slave device, and reading device stats\nof master bond device, the kernel may hung.\n\nThe kernel panic calltrace as follows:\nKernel panic - not syncing: softlockup: hung tasks\nCall trace:\n  native_queued_spin_lock_slowpath+0x1ec/0x31c\n  dev_get_stats+0x60/0xcc\n  dev_seq_printf_stats+0x40/0x120\n  dev_seq_show+0x1c/0x40\n  seq_read_iter+0x3c8/0x4dc\n  seq_read+0xe0/0x130\n  proc_reg_read+0xa8/0xe0\n  vfs_read+0xb0/0x1d4\n  ksys_read+0x70/0xfc\n  __arm64_sys_read+0x20/0x30\n  el0_svc_common+0x88/0x234\n  do_el0_svc+0x2c/0x90\n  el0_svc+0x1c/0x30\n  el0_sync_handler+0xa8/0xb0\n  el0_sync+0x148/0x180\n\nAnd the calltrace of task that actually caused kernel hungs as follows:\n  __switch_to+124\n  __schedule+548\n  schedule+72\n  schedule_timeout+348\n  __down_common+188\n  __down+24\n  down+104\n  hinic_get_stats64+44 [hinic]\n  dev_get_stats+92\n  bond_get_stats+172 [bonding]\n  dev_get_stats+92\n  dev_seq_printf_stats+60\n  dev_seq_show+24\n  seq_read_iter+964\n  seq_read+220\n  proc_reg_read+164\n  vfs_read+172\n  ksys_read+108\n  __arm64_sys_read+28\n  el0_svc_common+132\n  do_el0_svc+40\n  el0_svc+24\n  el0_sync_handler+164\n  el0_sync+324\n\nWhen getting device stats from bond, kernel will call bond_get_stats().\nIt first holds the spinlock bond-\u003estats_lock, and then call\nhinic_get_stats64() to collect hinic device\u0027s stats.\nHowever, hinic_get_stats64() calls `down(\u0026nic_dev-\u003emgmt_lock)` to\nprotect its critical section, which may schedule current task out.\nAnd if system is under high pressure, the task cannot be woken up\nimmediately, which eventually triggers kernel hung panic.\n\nSince previous patch has replaced hinic_dev.tx_stats/rx_stats with local\nvariable in hinic_get_stats64(), there is nothing need to be protected\nby lock, so just removing down()/up() is ok."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:03:25.675Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e74f3097a9c713ce855cda07713393bcc23a005d"
        },
        {
          "url": "https://git.kernel.org/stable/c/693f31dc91568e61047fd2980a8235e856cd9ce8"
        },
        {
          "url": "https://git.kernel.org/stable/c/fced5bce712122654ec8a20356342698cce104d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ba59bbe4f306bb6ee15753db0a40564c0eb7909"
        },
        {
          "url": "https://git.kernel.org/stable/c/98f9fcdee35add80505b6c73f72de5f750d5c03c"
        }
      ],
      "title": "net: hinic: avoid kernel hung in hinic_get_stats64()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50174",
    "datePublished": "2025-06-18T11:03:25.675Z",
    "dateReserved": "2025-06-18T10:57:27.427Z",
    "dateUpdated": "2025-06-18T11:03:25.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50174\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:47.770\",\"lastModified\":\"2025-06-18T13:47:40.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: hinic: avoid kernel hung in hinic_get_stats64()\\n\\nWhen using hinic device as a bond slave device, and reading device stats\\nof master bond device, the kernel may hung.\\n\\nThe kernel panic calltrace as follows:\\nKernel panic - not syncing: softlockup: hung tasks\\nCall trace:\\n  native_queued_spin_lock_slowpath+0x1ec/0x31c\\n  dev_get_stats+0x60/0xcc\\n  dev_seq_printf_stats+0x40/0x120\\n  dev_seq_show+0x1c/0x40\\n  seq_read_iter+0x3c8/0x4dc\\n  seq_read+0xe0/0x130\\n  proc_reg_read+0xa8/0xe0\\n  vfs_read+0xb0/0x1d4\\n  ksys_read+0x70/0xfc\\n  __arm64_sys_read+0x20/0x30\\n  el0_svc_common+0x88/0x234\\n  do_el0_svc+0x2c/0x90\\n  el0_svc+0x1c/0x30\\n  el0_sync_handler+0xa8/0xb0\\n  el0_sync+0x148/0x180\\n\\nAnd the calltrace of task that actually caused kernel hungs as follows:\\n  __switch_to+124\\n  __schedule+548\\n  schedule+72\\n  schedule_timeout+348\\n  __down_common+188\\n  __down+24\\n  down+104\\n  hinic_get_stats64+44 [hinic]\\n  dev_get_stats+92\\n  bond_get_stats+172 [bonding]\\n  dev_get_stats+92\\n  dev_seq_printf_stats+60\\n  dev_seq_show+24\\n  seq_read_iter+964\\n  seq_read+220\\n  proc_reg_read+164\\n  vfs_read+172\\n  ksys_read+108\\n  __arm64_sys_read+28\\n  el0_svc_common+132\\n  do_el0_svc+40\\n  el0_svc+24\\n  el0_sync_handler+164\\n  el0_sync+324\\n\\nWhen getting device stats from bond, kernel will call bond_get_stats().\\nIt first holds the spinlock bond-\u003estats_lock, and then call\\nhinic_get_stats64() to collect hinic device\u0027s stats.\\nHowever, hinic_get_stats64() calls `down(\u0026nic_dev-\u003emgmt_lock)` to\\nprotect its critical section, which may schedule current task out.\\nAnd if system is under high pressure, the task cannot be woken up\\nimmediately, which eventually triggers kernel hung panic.\\n\\nSince previous patch has replaced hinic_dev.tx_stats/rx_stats with local\\nvariable in hinic_get_stats64(), there is nothing need to be protected\\nby lock, so just removing down()/up() is ok.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hinic: evitar que el kernel se cuelgue en hinic_get_stats64(). Al usar un dispositivo hinic como un dispositivo esclavo de enlace y leer las estad\u00edsticas del dispositivo de enlace maestro, el kernel puede colgarse. El seguimiento de llamadas de p\u00e1nico del kernel es el siguiente: P\u00e1nico del kernel - no sincroniza: softlockup: tareas colgadas Seguimiento de llamadas: native_queued_spin_lock_slowpath+0x1ec/0x31c dev_get_stats+0x60/0xcc dev_seq_printf_stats+0x40/0x120 dev_seq_show+0x1c/0x40 seq_read_iter+0x3c8/0x4dc seq_read+0xe0/0x130 proc_reg_read+0xa8/0xe0 vfs_read+0xb0/0x1d4 ksys_read+0x70/0xfc __arm64_sys_read+0x20/0x30 el0_svc_common+0x88/0x234 do_el0_svc+0x2c/0x90 el0_svc+0x1c/0x30 el0_sync_handler+0xa8/0xb0 el0_sync+0x148/0x180 Y el seguimiento de llamadas de la tarea que realmente caus\u00f3 los bloqueos del kernel de la siguiente manera: __switch_to+124 __schedule+548 schedule+72 schedule_timeout+348 __down_common+188 __down+24 down+104 hinic_get_stats64+44 [hinic] dev_get_stats+92 bond_get_stats+172 [bonding] dev_get_stats+92 dev_seq_printf_stats+60 dev_seq_show+24 seq_read_iter+964 seq_read+220 proc_reg_read+164 vfs_read+172 ksys_read+108 __arm64_sys_read+28 el0_svc_common+132 do_el0_svc+40 el0_svc+24 el0_sync_handler+164 el0_sync+324 Al obtener las estad\u00edsticas del dispositivo desde Bond, el kernel llama a bond_get_stats(). Primero mantiene el bloqueo de giro bond-\u0026gt;stats_lock y luego llama a hinic_get_stats64() para recopilar las estad\u00edsticas del dispositivo Hinic. Sin embargo, hinic_get_stats64() llama a `down(\u0026amp;nic_dev-\u0026gt;mgmt_lock)` para proteger su secci\u00f3n cr\u00edtica, que podr\u00eda programar la tarea actual. Si el sistema est\u00e1 bajo alta presi\u00f3n, la tarea no se puede reactivar inmediatamente, lo que eventualmente desencadena un p\u00e1nico de bloqueo del kernel. Dado que el parche anterior reemplaz\u00f3 hinic_dev.tx_stats/rx_stats con una variable local en hinic_get_stats64(), no es necesario proteger nada con bloqueo, por lo que simplemente eliminar down()/up() est\u00e1 bien.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3ba59bbe4f306bb6ee15753db0a40564c0eb7909\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/693f31dc91568e61047fd2980a8235e856cd9ce8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/98f9fcdee35add80505b6c73f72de5f750d5c03c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e74f3097a9c713ce855cda07713393bcc23a005d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fced5bce712122654ec8a20356342698cce104d2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.