CVE-2022-50054

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A NULL pointer dereference issue has been identified in the Linux kernel, specifically in the iavf get link ksettings function. This issue can occur when the adapter->vf res is freed, but the netdev is still registered, allowing ethtool ops to be called. As a result, calling iavf get link ksettings without vf res can lead to a kernel NULL pointer dereference. The issue is related to a regression introduced in a previous commit, where receiving IAVF ERR ADMIN QUEUE NO WORK from iavf get vf config would free adapter->vf res.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the NULL pointer dereference in iavf get link ksettings. As a temporary workaround, consider disabling the iavf get link ksettings function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected API endpoint until the issue is resolved.