CVE-2022-49443
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49443
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49443.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49443
- Downstream
- Related
- Published
- 2025-02-26T02:12:55Z
- Modified
- 2025-10-21T10:20:11.019734Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- list: fix a data-race around ep->rdllist
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
list: fix a data-race around ep->rdllist
eppoll() first calls epeventsavailable() with no lock held and checks if ep->rdllist is empty by listempty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing.
Note INITLISTHEAD_RCU() already has the annotation for both prev and next.
Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") added the first lockless epeventsavailable(), and commit c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epollwait()") made some epeventsavailable() calls lockless and added single call under a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") made the last epevents_available() lockless.
BUG: KCSAN: data-race in doepollwait / doepollwait
write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0: INITLISTHEAD include/linux/list.h:38 [inline] listspliceinit include/linux/list.h:492 [inline] epstartscan fs/eventpoll.c:622 [inline] epsendevents fs/eventpoll.c:1656 [inline] eppoll fs/eventpoll.c:1806 [inline] doepollwait+0x4eb/0xf40 fs/eventpoll.c:2234 doepollpwait fs/eventpoll.c:2268 [inline] _dosysepollpwait fs/eventpoll.c:2281 [inline] _sesysepollpwait+0x12b/0x240 fs/eventpoll.c:2275 _x64sysepollpwait+0x74/0x80 fs/eventpoll.c:2275 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x44/0xd0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae
read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1: listemptycareful include/linux/list.h:329 [inline] epeventsavailable fs/eventpoll.c:381 [inline] eppoll fs/eventpoll.c:1797 [inline] doepollwait+0x279/0xf40 fs/eventpoll.c:2234 doepollpwait fs/eventpoll.c:2268 [inline] _dosysepollpwait fs/eventpoll.c:2281 [inline] _sesysepollpwait+0x12b/0x240 fs/eventpoll.c:2275 _x64sysepollpwait+0x74/0x80 fs/eventpoll.c:2275 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x44/0xd0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae
value changed: 0xffff88810480c7d0 -> 0xffff888103c15098
Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
- https://git.kernel.org/stable/c/cb3e48f7a35033deb9455abe3932e63cb500b9eb
- https://git.kernel.org/stable/c/d679ae94fdd5d3ab00c35078f5af5f37e068b03d
- https://git.kernel.org/stable/c/e039c0b5985999b150594126225e1ee51df7b4c9
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbf3b9f6372c45b0fbf24d86b8794910d20170017Fixed5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbf3b9f6372c45b0fbf24d86b8794910d20170017Fixedcb3e48f7a35033deb9455abe3932e63cb500b9eb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbf3b9f6372c45b0fbf24d86b8794910d20170017Fixede039c0b5985999b150594126225e1ee51df7b4c9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbf3b9f6372c45b0fbf24d86b8794910d20170017Fixedd679ae94fdd5d3ab00c35078f5af5f37e068b03d
Affected versions
v4.*
v4.11
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49443-1b26fb61",
"target": {
"function": "list_empty_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 162.0,
"function_hash": "152860699403428949403386120242651819017"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d5d993f16be15d124be7b8ec71b28ef7b7dc3af"
},
{
"id": "CVE-2022-49443-3d06c1b7",
"target": {
"file": "include/linux/list.h"
},
"digest": {
"line_hashes": [
"285301667123253482815107094900067298954",
"304198888918349581137534831089931129589",
"105184339883396649180809366020490080637",
"235233568318878774450355331048407094196",
"93011027666388756805119376497584812597",
"209734376473135665878044984539904734177",
"154572271384158592778798180663376145631",
"87966637453555184629760135993640003231",
"117158207064014378342880418254362250918",
"87004208210816761005227126626703318127",
"100687842352233457404485521777622616899",
"93888019351054795736417620173980640828"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cb3e48f7a35033deb9455abe3932e63cb500b9eb"
},
{
"id": "CVE-2022-49443-5a5930e4",
"target": {
"function": "list_empty_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 162.0,
"function_hash": "152860699403428949403386120242651819017"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d679ae94fdd5d3ab00c35078f5af5f37e068b03d"
},
{
"id": "CVE-2022-49443-b09d60f0",
"target": {
"function": "list_del_init_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 134.0,
"function_hash": "140704830252444946137652906567989860521"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cb3e48f7a35033deb9455abe3932e63cb500b9eb"
},
{
"id": "CVE-2022-49443-b86eaeb7",
"target": {
"file": "include/linux/list.h"
},
"digest": {
"line_hashes": [
"285301667123253482815107094900067298954",
"304198888918349581137534831089931129589",
"105184339883396649180809366020490080637",
"235233568318878774450355331048407094196",
"93011027666388756805119376497584812597",
"209734376473135665878044984539904734177",
"154572271384158592778798180663376145631",
"87966637453555184629760135993640003231",
"117158207064014378342880418254362250918",
"87004208210816761005227126626703318127",
"100687842352233457404485521777622616899",
"93888019351054795736417620173980640828"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d5d993f16be15d124be7b8ec71b28ef7b7dc3af"
},
{
"id": "CVE-2022-49443-c486a845",
"target": {
"function": "list_del_init_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 134.0,
"function_hash": "140704830252444946137652906567989860521"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d5d993f16be15d124be7b8ec71b28ef7b7dc3af"
},
{
"id": "CVE-2022-49443-cf2239a0",
"target": {
"function": "list_del_init_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 134.0,
"function_hash": "140704830252444946137652906567989860521"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d679ae94fdd5d3ab00c35078f5af5f37e068b03d"
},
{
"id": "CVE-2022-49443-da22d9a7",
"target": {
"function": "list_empty_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 162.0,
"function_hash": "152860699403428949403386120242651819017"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e039c0b5985999b150594126225e1ee51df7b4c9"
},
{
"id": "CVE-2022-49443-dbcd2719",
"target": {
"file": "include/linux/list.h"
},
"digest": {
"line_hashes": [
"285301667123253482815107094900067298954",
"304198888918349581137534831089931129589",
"105184339883396649180809366020490080637",
"235233568318878774450355331048407094196",
"93011027666388756805119376497584812597",
"209734376473135665878044984539904734177",
"154572271384158592778798180663376145631",
"87966637453555184629760135993640003231",
"117158207064014378342880418254362250918",
"87004208210816761005227126626703318127",
"100687842352233457404485521777622616899",
"93888019351054795736417620173980640828"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d679ae94fdd5d3ab00c35078f5af5f37e068b03d"
},
{
"id": "CVE-2022-49443-e9caaf60",
"target": {
"function": "list_empty_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 162.0,
"function_hash": "152860699403428949403386120242651819017"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cb3e48f7a35033deb9455abe3932e63cb500b9eb"
},
{
"id": "CVE-2022-49443-fc6260b2",
"target": {
"file": "include/linux/list.h"
},
"digest": {
"line_hashes": [
"285301667123253482815107094900067298954",
"304198888918349581137534831089931129589",
"105184339883396649180809366020490080637",
"235233568318878774450355331048407094196",
"93011027666388756805119376497584812597",
"209734376473135665878044984539904734177",
"154572271384158592778798180663376145631",
"87966637453555184629760135993640003231",
"117158207064014378342880418254362250918",
"87004208210816761005227126626703318127",
"100687842352233457404485521777622616899",
"93888019351054795736417620173980640828"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e039c0b5985999b150594126225e1ee51df7b4c9"
},
{
"id": "CVE-2022-49443-fef725ad",
"target": {
"function": "list_del_init_careful",
"file": "include/linux/list.h"
},
"digest": {
"length": 134.0,
"function_hash": "140704830252444946137652906567989860521"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e039c0b5985999b150594126225e1ee51df7b4c9"
}
]