CVE-2022-49667: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a use-after-free vulnerability was discovered in the bonding driver's 802.3ad (LACP) implementation. The issue occurs in the bond_3ad_unbind_slave function when handling multiple aggregation groups in the same bond. The vulnerability was introduced by commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") and has been assigned CVE-2022-49667 (NVD).

The vulnerability stems from the bond_3ad_unbind_slave function invalidating (clearing) an aggregator when __agg_active_ports returns zero, even when num_of_ports is not zero. This can lead to ad_clear_agg being executed on an aggregator that still has ports. Subsequently, bond_3ad_unbind_slave can be executed again for the previously cleared aggregator. Since lag_ports is NULL at this point, the slave ports list is not updated, resulting in slave ports pointing to freed aggregator memory (Kernel Commit).

This vulnerability can lead to use-after-free conditions in the kernel's networking stack, potentially causing system crashes or memory corruption. The issue was detected by KASAN (Kernel Address Sanitizer) showing memory access to freed aggregator memory (NVD).

The issue has been fixed by adding a check for the actual number of ports in the group before calling ad_clear_agg(). The fix ensures that ad_clear_agg is only called when temp_aggregator->num_of_ports equals zero, reverting to the behavior that existed before the problematic commit (Kernel Commit).