CVE-2022-49443

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49443
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49443.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49443
Downstream
Related
Published
2025-02-26T07:01:20Z
Modified
2025-08-09T20:01:28Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

list: fix a data-race around ep->rdllist

eppoll() first calls epeventsavailable() with no lock held and checks if ep->rdllist is empty by listempty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing.

Note INITLISTHEAD_RCU() already has the annotation for both prev and next.

Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") added the first lockless epeventsavailable(), and commit c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epollwait()") made some epeventsavailable() calls lockless and added single call under a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") made the last epevents_available() lockless.

BUG: KCSAN: data-race in doepollwait / doepollwait

write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0: INITLISTHEAD include/linux/list.h:38 [inline] listspliceinit include/linux/list.h:492 [inline] epstartscan fs/eventpoll.c:622 [inline] epsendevents fs/eventpoll.c:1656 [inline] eppoll fs/eventpoll.c:1806 [inline] doepollwait+0x4eb/0xf40 fs/eventpoll.c:2234 doepollpwait fs/eventpoll.c:2268 [inline] _dosysepollpwait fs/eventpoll.c:2281 [inline] _sesysepollpwait+0x12b/0x240 fs/eventpoll.c:2275 _x64sysepollpwait+0x74/0x80 fs/eventpoll.c:2275 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x44/0xd0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae

read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1: listemptycareful include/linux/list.h:329 [inline] epeventsavailable fs/eventpoll.c:381 [inline] eppoll fs/eventpoll.c:1797 [inline] doepollwait+0x279/0xf40 fs/eventpoll.c:2234 doepollpwait fs/eventpoll.c:2268 [inline] _dosysepollpwait fs/eventpoll.c:2281 [inline] _sesysepollpwait+0x12b/0x240 fs/eventpoll.c:2275 _x64sysepollpwait+0x74/0x80 fs/eventpoll.c:2275 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x44/0xd0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae

value changed: 0xffff88810480c7d0 -> 0xffff888103c15098

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

References

Affected packages