{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50062","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.404Z","datePublished":"2025-06-18T11:02:09.871Z","dateUpdated":"2026-05-11T19:12:07.806Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:12:07.806Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bgmac: Fix a BUG triggered by wrong bytes_compl\n\nOn one of our machines we got:\n\nkernel BUG at lib/dynamic_queue_limits.c:27!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM\nCPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G        W  O    4.14.275-rt132 #1\nHardware name: BRCM XGS iProc\ntask: ee3415c0 task.stack: ee32a000\nPC is at dql_completed+0x168/0x178\nLR is at bgmac_poll+0x18c/0x6d8\npc : [<c03b9430>]    lr : [<c04b5a18>]    psr: 800a0313\nsp : ee32be14  ip : 000005ea  fp : 00000bd4\nr10: ee558500  r9 : c0116298  r8 : 00000002\nr7 : 00000000  r6 : ef128810  r5 : 01993267  r4 : 01993851\nr3 : ee558000  r2 : 000070e1  r1 : 00000bd4  r0 : ee52c180\nFlags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none\nControl: 12c5387d  Table: 8e88c04a  DAC: 00000051\nProcess irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)\nStack: (0xee32be14 to 0xee32c000)\nbe00:                                              ee558520 ee52c100 ef128810\nbe20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040\nbe40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040\nbe60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a\nbe80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98\nbea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8\nbec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000\nbee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520\nbf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900\nbf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c\nbf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28\nbf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70\nbf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000\nbfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000\nbfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\nbfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000\n[<c03b9430>] (dql_completed) from [<c04b5a18>] (bgmac_poll+0x18c/0x6d8)\n[<c04b5a18>] (bgmac_poll) from [<c0528744>] (net_rx_action+0x1c4/0x494)\n[<c0528744>] (net_rx_action) from [<c0124d3c>] (do_current_softirqs+0x1ec/0x43c)\n[<c0124d3c>] (do_current_softirqs) from [<c012500c>] (__local_bh_enable+0x80/0x98)\n[<c012500c>] (__local_bh_enable) from [<c016da14>] (irq_forced_thread_fn+0x84/0x98)\n[<c016da14>] (irq_forced_thread_fn) from [<c016dd14>] (irq_thread+0x118/0x1c0)\n[<c016dd14>] (irq_thread) from [<c013edcc>] (kthread+0x150/0x158)\n[<c013edcc>] (kthread) from [<c0108470>] (ret_from_fork+0x14/0x24)\nCode: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)\n\nThe issue seems similar to commit 90b3b339364c (\"net: hisilicon: Fix a BUG\ntrigered by wrong bytes_compl\") and potentially introduced by commit\nb38c83dd0866 (\"bgmac: simplify tx ring index handling\").\n\nIf there is an RX interrupt between setting ring->end\nand netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()\ncan miscalculate the queue size while called from bgmac_poll().\n\nThe machine which triggered the BUG runs a v4.14 RT kernel - but the issue\nseems present in mainline too."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/broadcom/bgmac.c"],"versions":[{"version":"b38c83dd08665a93e439c4ffd9eef31bc098a6ea","lessThan":"ac6d4482f29ab992b605c1b4bd1347f1f679f4e4","status":"affected","versionType":"git"},{"version":"b38c83dd08665a93e439c4ffd9eef31bc098a6ea","lessThan":"ab2b55bb25db289ba0b68e3d58494476bdb1041d","status":"affected","versionType":"git"},{"version":"b38c83dd08665a93e439c4ffd9eef31bc098a6ea","lessThan":"c506c9a97120f43257e9b3ce7b1f9a24eafc3787","status":"affected","versionType":"git"},{"version":"b38c83dd08665a93e439c4ffd9eef31bc098a6ea","lessThan":"da1421a29d3b8681ba6a7f686bd0b40dda5acaf3","status":"affected","versionType":"git"},{"version":"b38c83dd08665a93e439c4ffd9eef31bc098a6ea","lessThan":"1b7680c6c1f6de9904f1d9b05c952f0c64a03350","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/broadcom/bgmac.c"],"versions":[{"version":"4.1","status":"affected"},{"version":"0","lessThan":"4.1","status":"unaffected","versionType":"semver"},{"version":"5.4.211","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.138","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.63","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.4","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.4.211"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.10.138"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.15.63"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.19.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ac6d4482f29ab992b605c1b4bd1347f1f679f4e4"},{"url":"https://git.kernel.org/stable/c/ab2b55bb25db289ba0b68e3d58494476bdb1041d"},{"url":"https://git.kernel.org/stable/c/c506c9a97120f43257e9b3ce7b1f9a24eafc3787"},{"url":"https://git.kernel.org/stable/c/da1421a29d3b8681ba6a7f686bd0b40dda5acaf3"},{"url":"https://git.kernel.org/stable/c/1b7680c6c1f6de9904f1d9b05c952f0c64a03350"}],"title":"net: bgmac: Fix a BUG triggered by wrong bytes_compl","x_generator":{"engine":"bippy-1.2.0"}}}}