CVE-2022-49667: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a use-after-free vulnerability was discovered in the bonding driver's 802.3ad (LACP) implementation. The issue occurs in the bond3adunbind_slave function when handling multiple aggregation groups in the same bond. The vulnerability was introduced by commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") and has been assigned CVE-2022-49667 (NVD).

The vulnerability stems from the bond3adunbindslave function invalidating (clearing) an aggregator when _aggactiveports returns zero, even when numofports is not zero. This can lead to adclearagg being executed on an aggregator that still has ports. Subsequently, bond3adunbindslave can be executed again for the previously cleared aggregator. Since lagports is NULL at this point, the slave ports list is not updated, resulting in slave ports pointing to freed aggregator memory (Kernel Commit).

This vulnerability can lead to use-after-free conditions in the kernel's networking stack, potentially causing system crashes or memory corruption. The issue was detected by KASAN (Kernel Address Sanitizer) showing memory access to freed aggregator memory (NVD).

The issue has been fixed by adding a check for the actual number of ports in the group before calling adclearagg(). The fix ensures that adclearagg is only called when tempaggregator->numof_ports equals zero, reverting to the behavior that existed before the problematic commit (Kernel Commit).