CVE-2022-50409
- Source
- https://cve.org/CVERecord?id=CVE-2022-50409
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50409.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50409
- Downstream
- Related
- Published
- 2025-09-18T16:03:53.902Z
- Modified
- 2026-04-11T12:44:57.183216Z
- Summary
- net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: If sock is dead don't access sock's skwq in skstreamwaitmemory
Fixes the below NULL pointer dereference:
[...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lockacquire+0x245/0x2e0 [ 14.472416] ? removewaitqueue+0x12/0x50 [ 14.473014] ? rawspinlockirqsave+0x17/0x50 [ 14.473681] rawspinlockirqsave+0x3d/0x50 [ 14.474318] ? removewaitqueue+0x12/0x50 [ 14.474907] removewaitqueue+0x12/0x50 [ 14.475480] skstreamwaitmemory+0x20d/0x340 [ 14.476127] ? dowaitintrirq+0x80/0x80 [ 14.476704] dotcpsendpages+0x287/0x600 [ 14.477283] tcpbpfpush+0xab/0x260 [ 14.477817] tcpbpfsendmsgredir+0x297/0x500 [ 14.478461] ? __localbhenable_ip+0x77/0xe0 [ 14.479096] tcpbpfsendverdict+0x105/0x470 [ 14.479729] tcpbpfsendmsg+0x318/0x4f0 [ 14.480311] socksendmsg+0x2d/0x40 [ 14.480822] ____syssendmsg+0x1b4/0x1c0 [ 14.481390] ? copymsghdrfromuser+0x62/0x80 [ 14.482048] ___syssendmsg+0x78/0xb0 [ 14.482580] ? vmfinsertpfnprot+0x91/0x150 [ 14.483215] ? __dofault+0x2a/0x1a0 [ 14.483738] ? dofault+0x15e/0x5d0 [ 14.484246] ? __handlemmfault+0x56b/0x1040 [ 14.484874] ? lockisheldtype+0xdf/0x130 [ 14.485474] ? findheld_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] _syssendmsg+0x41/0x70 [ 14.487105] ? intelpmudrainpebscore+0x350/0x350 [ 14.487822] dosyscall64+0x34/0x80 [ 14.488345] entrySYSCALL64afterhwframe+0x63/0xcd [...]
The test scenario has the following flow:
thread1 thread2 ----------- --------------- tcpbpfsendmsg tcpbpfsendverdict tcpbpfsendmsgredir sockclose tcpbpfpushlocked __sockrelease tcpbpfpush //inetrelease dotcpsendpages sock->ops->release skstreamwaitmemory // tcpclose skwaitevent sk->skprot->close releasesock(__sk); *** lock_sock(sk); __tcpclose sockorphan(sk) sk->skwq = NULL releasesock **** locksock(sk); removewaitqueue(sksleep(sk), &wait); sksleep(sk) //NULL pointer dereference &rcudereferenceraw(sk->skwq)->wait
While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcpbpfsendverdict didn't increase the fcount of psock->skredir->sksocket->file in thread1.
We should check if SOCKDEAD flag is set on wakeup in skstreamwaitmemory before accessing the wait queue.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50409.json" }- References
-
- https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5
- https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e
- https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5
- https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c
- https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb
- https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50409.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-50409
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced604326b41a6fb9b4a78b6179335decee0365cd8cFixeda76462dbdd8bddcbeec9463bc9e54e509b860762Fixed65029aaedd15d9fe5ea1a899134e236d83f627bbFixed124b7c773271f06af5a2cea694b283cdb5275cf5Fixed35f5e70bdfa7432762ac4ffa75e5a7574ac5563eFixed435f5aa4421782af197b98d8525263977be4af5cFixed3f8ef65af927db247418d4e1db49164d7a158fc5