CVE-2022-50432

Source
https://cve.org/CVERecord?id=CVE-2022-50432
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50432.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50432
Downstream
Related
Published
2025-10-01T11:42:10.573Z
Modified
2026-07-11T03:55:29.300594820Z
Summary
kernfs: fix use-after-free in __kernfs_remove
Details

In the Linux kernel, the following vulnerability has been resolved:

kernfs: fix use-after-free in _kernfsremove

Syzkaller managed to trigger concurrent calls to kernfsremovebynamens() for the same file resulting in a KASAN detected use-after-free. The race occurs when the root node is freed during kernfs_drain().

To prevent this acquire an additional reference for the root of the tree that is removed before calling _kernfsremove().

Found by syzkaller with the following reproducer (slab_nomerge is required):

syzmountimage$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0) close(r0) pipe2(&(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800) mount$9pfd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cacheloose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAYEXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@donthash}]}})

Sample report:

================================================================== BUG: KASAN: use-after-free in kernfstype include/linux/kernfs.h:335 [inline] BUG: KASAN: use-after-free in kernfsleftmost_descendant fs/kernfs/dir.c:1261 [inline] BUG: KASAN: use-after-free in _kernfsremove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857

CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x6e/0x91 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold+0x5e/0x5e5 mm/kasan/report.c:433 kasanreport+0xa3/0x130 mm/kasan/report.c:495 kernfstype include/linux/kernfs.h:335 [inline] kernfsleftmostdescendant fs/kernfs/dir.c:1261 [inline] __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 __kernfsremove fs/kernfs/dir.c:1356 [inline] kernfsremovebynamens+0x108/0x190 fs/kernfs/dir.c:1589 sysfsslab_add+0x133/0x1e0 mm/slub.c:5943 __kmemcachecreate+0x3e0/0x550 mm/slub.c:4899 createcache mm/slabcommon.c:229 [inline] kmemcachecreateusercopy+0x167/0x2a0 mm/slabcommon.c:335 p9clientcreate+0xd4d/0x1190 net/9p/client.c:993 v9fssessioninit+0x1e6/0x13c0 fs/9p/v9fs.c:408 v9fsmount+0xb9/0xbd0 fs/9p/vfssuper.c:126 legacygettree+0xf1/0x200 fs/fscontext.c:610 vfsgettree+0x85/0x2e0 fs/super.c:1530 donewmount fs/namespace.c:3040 [inline] pathmount+0x675/0x1d00 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __dosysmount fs/namespace.c:3591 [inline] __sesysmount fs/namespace.c:3568 [inline] _x64sysmount+0x282/0x300 fs/namespace.c:3568 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x38/0x90 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f725f983aed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIGRAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000 R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000 </TASK>

Allocated by task 855: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:437 [inline] _kasanslaballoc+0x66/0x80 mm/kasan/common.c:470 kasanslaballoc include/linux/kasan.h:224 [inline] slabpostallochook mm/slab.h:7 ---truncated---

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50432.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
45a140e587f3d32d8d424ed940dffb61e1739047
Fixed
4dfd6a477a1525773469feaf3c514b2c0fef76b5
Fixed
02eb35131050735332658029082f61515b7dfe38
Fixed
028cf780743eea79abffa7206b9dcfc080ad3546
Fixed
c78b0dc6fb7fb389d674e491fd376388cdfb1d53
Fixed
6f72a3977ba9d0e5491a5c01315204272e7f9c44
Fixed
94d2643df1e70a4c310ebb5e2c493eec33df1a06
Fixed
af1b57cc39beca203559576b3046094fc9e5eb32
Fixed
4abc99652812a2ddf932f137515d5c5a04723538

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50432.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.14.0
Fixed
4.9.332
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.298
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.264
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.223
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.153
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.77
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.7

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50432.json"