CVE-2022-48811: ibmvnic: don't release napi in __ibmvnic_open()
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: don't release napi in __ibmvnic_open()
If __ibmvnic_open() encounters an error such as when setting link state,
it calls release_resources() which frees the napi structures needlessly.
Instead, have __ibmvnic_open() only clean up the work it did so far (i.e.
disable napi and irqs) and leave the rest to the callers.
If caller of __ibmvnic_open() is ibmvnic_open(), it should release the
resources immediately. If the caller is do_reset() or do_hard_reset(),
they will release the resources on the next reset.
This fixes following crash that occurred when running the drmgr command
several times to add/remove a vnic interface:
[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq
[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq
[102056] ibmvnic 30000003 env3: Replenished 8 pools
Kernel attempted to read user page (10) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000010
Faulting instruction address: 0xc000000000a3c840
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
...
CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1
Workqueue: events_long __ibmvnic_reset [ibmvnic]
NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820
REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37)
MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004
CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000
...
NIP [c000000000a3c840] napi_enable+0x20/0xc0
LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]
Call Trace:
[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)
[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]
[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]
[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570
[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660
[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0
[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
Instruction dump:
7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010
38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020
---[ end trace 5f8033b08fd27706 ]---
Security readout for executives and security teams
Plain-English summary
CVE-2022-48811 is a Linux kernel availability issue in the IBM virtual NIC driver. Error handling during vNIC open/reset could free networking structures too early, later causing a NULL pointer dereference and kernel crash. Business risk is concentrated on Linux systems using ibmvnic, especially IBM Power/pSeries virtualized environments.
Executive priority
Prioritize remediation where Linux workloads depend on IBM virtual NICs or dynamic LPAR networking. The likely impact is outage from kernel crashes, not confirmed data compromise. Patch during the next appropriate kernel maintenance window unless affected systems are already experiencing ibmvnic instability.
Technical view
In ibmvnic, __ibmvnic_open() called release_resources() after errors such as link-state setup failure, unnecessarily freeing NAPI structures. Reset paths could later re-enable NAPI and dereference freed or NULL state. The upstream fix limits __ibmvnic_open() cleanup to work it performed and leaves broader resource release to callers.
Likely exposure
Exposure appears limited to Linux hosts using the ibmvnic driver. The source bundle lists Linux as affected and identifies versions including 4.12, 5.15.27, 5.16.10, and 5.17; exact exposure should be confirmed against vendor kernel backports.
Exploitation context
The provided evidence shows a crash while repeatedly using drmgr to add or remove a vNIC interface. The bundle does not identify remote exploitation, public exploit use, or CISA KEV listing. Treat this as a reliability and denial-of-service concern unless vendor advisories state otherwise.
Researcher notes
Evidence is source-level and crash-log based. No CVSS, CWE, exploitability assessment, or KEV signal is provided. The affected-version data is sparse, so distribution kernel mapping and backport verification are necessary before declaring systems fixed or unaffected.
Mitigation direction
Identify systems using the Linux ibmvnic driver.
Check distribution advisories for CVE-2022-48811 kernel fixes or backports.
Update affected kernels to a vendor-fixed release.
Prioritize IBM Power/pSeries systems with dynamic vNIC operations.
Avoid unnecessary vNIC add/remove churn until fixed.
Validation and detection
Inventory running kernels and ibmvnic module usage.
Compare installed kernel builds against vendor CVE-2022-48811 advisories.
Confirm the relevant stable kernel fix is present or backported.
Review kernel logs for ibmvnic reset or NULL dereference crashes.
Validate after maintenance that vNIC reset operations remain stable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48811 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.