CVE-2022-49215

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.16.0+

Description A race condition in the xsk socket teardown code can lead to a NULL pointer dereference. The issue arises when the xsk unbind dev() function sets xs->state to XSK UNBOUND and xs->dev to NULL before waiting for NAPI processing to terminate, which can cause a crash if another process is still using the socket. The problem is solved by removing the NULL assignment to xs->dev and extending the RCU critical region to cover the entire xsk poll(), xsk sendmsg(), and xsk recvmsg() functions.

Recommendations For Linux kernel version 5.16.0+, update to a version that includes the fix for the xsk socket teardown code. For earlier versions, consider applying the patch that removes the NULL assignment to xs->dev and extends the RCU critical region to cover the entire xsk poll(), xsk sendmsg(), and xsk recvmsg() functions as a temporary workaround.