CVE-2022-49257
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49257
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49257.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49257
- Downstream
- Related
- Published
- 2025-02-26T01:56:11Z
- Modified
- 2025-10-14T22:23:30.479597Z
- Summary
- watch_queue: Fix NULL dereference in error cleanup
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Fix NULL dereference in error cleanup
In watchqueuesetsize(), the error cleanup code doesn't take account of the fact that _free_page() can't handle a NULL pointer when trying to free up buffer pages that did get allocated.
Fix this by only calling _freepage() on the pages actually allocated.
Without the fix, this can lead to something like the following:
BUG: KASAN: null-ptr-deref in _freepages+0x1f/0x1b0 mm/pagealloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 _kasanreport mm/kasan/report.c:446 [inline] kasanreport.cold+0x66/0xdf mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x13d/0x180 mm/kasan/generic.c:189 instrumentatomicread include/linux/instrumented.h:71 [inline] atomicread include/linux/atomic/atomic-instrumented.h:27 [inline] pagerefcount include/linux/pageref.h:67 [inline] putpagetestzero include/linux/mm.h:717 [inline] _freepages+0x1f/0x1b0 mm/pagealloc.c:5473 watchqueuesetsize+0x499/0x630 kernel/watchqueue.c:275 pipeioctl+0xac/0x2b0 fs/pipe.c:632 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x193/0x200 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/112a2f9b0a8457794095a0450598f150724ec456
- https://git.kernel.org/stable/c/5ae75b4ed30322b42abaa75ef1b784addfdb7dc9
- https://git.kernel.org/stable/c/695c47cea02b9101e2fc2e7d36d552128592b347
- https://git.kernel.org/stable/c/a635415a064e77bcfbf43da413fd9dfe0bbed9cb
- https://git.kernel.org/stable/c/b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixed5ae75b4ed30322b42abaa75ef1b784addfdb7dc9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixed695c47cea02b9101e2fc2e7d36d552128592b347
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixed112a2f9b0a8457794095a0450598f150724ec456
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixedb6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixeda635415a064e77bcfbf43da413fd9dfe0bbed9cb
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.7
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"43262517691715942257670191058740776878",
"275112086765420350613866260230741757028",
"242087733265366431217218807782885859929",
"71047390175725218241309330336171080411"
],
"threshold": 0.9
},
"id": "CVE-2022-49257-35a5bb5c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@695c47cea02b9101e2fc2e7d36d552128592b347"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"43262517691715942257670191058740776878",
"275112086765420350613866260230741757028",
"242087733265366431217218807782885859929",
"71047390175725218241309330336171080411"
],
"threshold": 0.9
},
"id": "CVE-2022-49257-36f6ff04",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ae75b4ed30322b42abaa75ef1b784addfdb7dc9"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "kernel/watch_queue.c",
"function": "watch_queue_set_size"
},
"deprecated": false,
"digest": {
"length": 1334.0,
"function_hash": "285794844204289758030245428210368091390"
},
"id": "CVE-2022-49257-4ddbe878",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "kernel/watch_queue.c",
"function": "watch_queue_set_size"
},
"deprecated": false,
"digest": {
"length": 1334.0,
"function_hash": "285794844204289758030245428210368091390"
},
"id": "CVE-2022-49257-60fd8b1e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a635415a064e77bcfbf43da413fd9dfe0bbed9cb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "kernel/watch_queue.c",
"function": "watch_queue_set_size"
},
"deprecated": false,
"digest": {
"length": 1447.0,
"function_hash": "282780513518245143971803437731879579721"
},
"id": "CVE-2022-49257-61588e5b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@695c47cea02b9101e2fc2e7d36d552128592b347"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"43262517691715942257670191058740776878",
"275112086765420350613866260230741757028",
"242087733265366431217218807782885859929",
"71047390175725218241309330336171080411"
],
"threshold": 0.9
},
"id": "CVE-2022-49257-7f17fe24",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a635415a064e77bcfbf43da413fd9dfe0bbed9cb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"43262517691715942257670191058740776878",
"275112086765420350613866260230741757028",
"242087733265366431217218807782885859929",
"71047390175725218241309330336171080411"
],
"threshold": 0.9
},
"id": "CVE-2022-49257-8be68e00",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "kernel/watch_queue.c",
"function": "watch_queue_set_size"
},
"deprecated": false,
"digest": {
"length": 1447.0,
"function_hash": "282780513518245143971803437731879579721"
},
"id": "CVE-2022-49257-9c4a2622",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@112a2f9b0a8457794095a0450598f150724ec456"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"43262517691715942257670191058740776878",
"275112086765420350613866260230741757028",
"242087733265366431217218807782885859929",
"71047390175725218241309330336171080411"
],
"threshold": 0.9
},
"id": "CVE-2022-49257-ee122640",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@112a2f9b0a8457794095a0450598f150724ec456"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "kernel/watch_queue.c",
"function": "watch_queue_set_size"
},
"deprecated": false,
"digest": {
"length": 1447.0,
"function_hash": "282780513518245143971803437731879579721"
},
"id": "CVE-2022-49257-f258575d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ae75b4ed30322b42abaa75ef1b784addfdb7dc9"
}
]
}