CVE-2022-50728

Vulnerability

Analysis

In the Linux kernel's s390 LCS (LAN Channel Station) network driver, the function lcs_start_xmit() is declared to return int, but the ndo_start_xmit callback in struct net_device_ops expects a return type of netdev_tx_t (which is an enum). This type mismatch is detected by clang's Control Flow Integrity (kCFI, CONFIG_CFI_CLANG) at runtime, causing a kernel panic or thread termination when the driver is used with kCFI enabled [1].

Attack

Vector and Requirements

No special attacker-triggered exploitation is described. The vulnerability manifests during normal transmission of network packets over an s390 LCS interface when the kernel is compiled with clang kCFI. The issue is not exploitable by an unauthenticated remote attacker directly; it is a correctness flaw that can lead to denial of service (kernel panic) under specific kernel configurations. The bug is a static type mismatch that is only reachable when the driver's transmit function is called by the networking stack [2].

Impact

If the kernel is built with CONFIG_CFI_CLANG (and ARCH_SUPPORTS_CFI_CLANG is selected for s390 in the future), an attempted call to lcs_start_xmit() will fail the indirect call target validation, resulting in one of two outcomes: a kernel panic (system crash) or the offending kernel thread being killed, effectively causing a denial of service for any process relying on network I/O over that interface. No privilege escalation or remote code execution is indicated [3].

Mitigation

The fix adjusts the return type of lcs_start_xmit() from int to netdev_tx_t to match the prototype expected by the kernel's networking subsystem [4]. This resolves the compile-time warning from clang and prevents the potential CFI failure at run time. The patch has been applied to the Linux kernel stable branches. Users should update to a kernel version containing the commit [1][4].