CVE-2022-50409

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50409
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50409.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50409
Downstream
Related
Published
2025-09-18T16:03:53.902Z
Modified
2026-03-20T11:47:26.736874Z
Summary
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Details

In the Linux kernel, the following vulnerability has been resolved:

net: If sock is dead don't access sock's skwq in skstreamwaitmemory

Fixes the below NULL pointer dereference:

[...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lockacquire+0x245/0x2e0 [ 14.472416] ? removewaitqueue+0x12/0x50 [ 14.473014] ? rawspinlockirqsave+0x17/0x50 [ 14.473681] rawspinlockirqsave+0x3d/0x50 [ 14.474318] ? removewaitqueue+0x12/0x50 [ 14.474907] removewaitqueue+0x12/0x50 [ 14.475480] skstreamwaitmemory+0x20d/0x340 [ 14.476127] ? dowaitintrirq+0x80/0x80 [ 14.476704] dotcpsendpages+0x287/0x600 [ 14.477283] tcpbpfpush+0xab/0x260 [ 14.477817] tcpbpfsendmsgredir+0x297/0x500 [ 14.478461] ? __localbhenable_ip+0x77/0xe0 [ 14.479096] tcpbpfsendverdict+0x105/0x470 [ 14.479729] tcpbpfsendmsg+0x318/0x4f0 [ 14.480311] socksendmsg+0x2d/0x40 [ 14.480822] ____syssendmsg+0x1b4/0x1c0 [ 14.481390] ? copymsghdrfromuser+0x62/0x80 [ 14.482048] ___syssendmsg+0x78/0xb0 [ 14.482580] ? vmfinsertpfnprot+0x91/0x150 [ 14.483215] ? __dofault+0x2a/0x1a0 [ 14.483738] ? dofault+0x15e/0x5d0 [ 14.484246] ? __handlemmfault+0x56b/0x1040 [ 14.484874] ? lockisheldtype+0xdf/0x130 [ 14.485474] ? findheld_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] _syssendmsg+0x41/0x70 [ 14.487105] ? intelpmudrainpebscore+0x350/0x350 [ 14.487822] dosyscall64+0x34/0x80 [ 14.488345] entrySYSCALL64afterhwframe+0x63/0xcd [...]

The test scenario has the following flow:

thread1 thread2 ----------- --------------- tcpbpfsendmsg tcpbpfsendverdict tcpbpfsendmsgredir sockclose tcpbpfpushlocked __sockrelease tcpbpfpush //inetrelease dotcpsendpages sock->ops->release skstreamwaitmemory // tcpclose skwaitevent sk->skprot->close releasesock(__sk); *** lock_sock(sk); __tcpclose sockorphan(sk) sk->skwq = NULL releasesock **** locksock(sk); removewaitqueue(sksleep(sk), &wait); sksleep(sk) //NULL pointer dereference &rcudereferenceraw(sk->skwq)->wait

While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcpbpfsendverdict didn't increase the fcount of psock->skredir->sksocket->file in thread1.

We should check if SOCKDEAD flag is set on wakeup in skstreamwaitmemory before accessing the wait queue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50409.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
604326b41a6fb9b4a78b6179335decee0365cd8c
Fixed
a76462dbdd8bddcbeec9463bc9e54e509b860762
Fixed
65029aaedd15d9fe5ea1a899134e236d83f627bb
Fixed
124b7c773271f06af5a2cea694b283cdb5275cf5
Fixed
35f5e70bdfa7432762ac4ffa75e5a7574ac5563e
Fixed
435f5aa4421782af197b98d8525263977be4af5c
Fixed
3f8ef65af927db247418d4e1db49164d7a158fc5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50409.json"