CVE-2022-49257

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49257
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49257.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49257
Downstream
Related
Published
2025-02-26T01:56:11.072Z
Modified
2026-03-11T04:22:38.284916Z
Summary
watch_queue: Fix NULL dereference in error cleanup
Details

In the Linux kernel, the following vulnerability has been resolved:

watch_queue: Fix NULL dereference in error cleanup

In watchqueueset_size(), the error cleanup code doesn't take account of the fact that _freepage() can't handle a NULL pointer when trying to free up buffer pages that did get allocated.

Fix this by only calling _freepage() on the pages actually allocated.

Without the fix, this can lead to something like the following:

BUG: KASAN: null-ptr-deref in __freepages+0x1f/0x1b0 mm/pagealloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dump_stack.c:106 __kasanreport mm/kasan/report.c:446 [inline] kasanreport.cold+0x66/0xdf mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x13d/0x180 mm/kasan/generic.c:189 instrumentatomicread include/linux/instrumented.h:71 [inline] atomicread include/linux/atomic/atomic-instrumented.h:27 [inline] pagerefcount include/linux/pageref.h:67 [inline] putpagetestzero include/linux/mm.h:717 [inline] __freepages+0x1f/0x1b0 mm/pagealloc.c:5473 watchqueuesetsize+0x499/0x630 kernel/watchqueue.c:275 pipeioctl+0xac/0x2b0 fs/pipe.c:632 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:874 [inline] __sesysioctl fs/ioctl.c:860 [inline] __x64sysioctl+0x193/0x200 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49257.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c73be61cede5882f9605a852414db559c0ebedfd
Fixed
5ae75b4ed30322b42abaa75ef1b784addfdb7dc9
Fixed
695c47cea02b9101e2fc2e7d36d552128592b347
Fixed
112a2f9b0a8457794095a0450598f150724ec456
Fixed
b6f5ad3e45d19f9c4ee3e8a2aff829f28d68591d
Fixed
a635415a064e77bcfbf43da413fd9dfe0bbed9cb

Affected versions

v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.7
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Database specific

vanir_signatures 
[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2022-49257-35a5bb5c",
        "target": {
            "file": "kernel/watch_queue.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "43262517691715942257670191058740776878",
                "275112086765420350613866260230741757028",
                "242087733265366431217218807782885859929",
                "71047390175725218241309330336171080411"
            ]
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@695c47cea02b9101e2fc2e7d36d552128592b347"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2022-49257-61588e5b",
        "target": {
            "file": "kernel/watch_queue.c",
            "function": "watch_queue_set_size"
        },
        "digest": {
            "length": 1447.0,
            "function_hash": "282780513518245143971803437731879579721"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@695c47cea02b9101e2fc2e7d36d552128592b347"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2022-49257-9c4a2622",
        "target": {
            "file": "kernel/watch_queue.c",
            "function": "watch_queue_set_size"
        },
        "digest": {
            "length": 1447.0,
            "function_hash": "282780513518245143971803437731879579721"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@112a2f9b0a8457794095a0450598f150724ec456"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2022-49257-ee122640",
        "target": {
            "file": "kernel/watch_queue.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "43262517691715942257670191058740776878",
                "275112086765420350613866260230741757028",
                "242087733265366431217218807782885859929",
                "71047390175725218241309330336171080411"
            ]
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@112a2f9b0a8457794095a0450598f150724ec456"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49257.json"