CVE-2022-49554

Source
https://cve.org/CVERecord?id=CVE-2022-49554
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49554.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49554
Downstream
Published
2025-02-26T02:14:02.649Z
Modified
2026-04-02T08:27:42.706578Z
Summary
zsmalloc: fix races between asynchronous zspage free and page migration
Details

In the Linux kernel, the following vulnerability has been resolved:

zsmalloc: fix races between asynchronous zspage free and page migration

The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lockzspage() churns away, lockzspage() can suffer from a few different lethal races.

It can lock a page which no longer belongs to the zspage and unsafely dereference pageprivate(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and createpage_chain() unconditionally zeroes out each list pointer in the process).

Fix the races by using migratereadlock() in lock_zspage() to synchronize with page migration.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49554.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
77ff465799c60294e248000cd22ae8171da3304c
Fixed
3674d8a8dadd03a447dd21069d4dacfc3399b63b
Fixed
645996efc2ae391246d595832aaa6f9d3cc338c7
Fixed
fc658c083904427abbf8f18280d517ee2668677c
Fixed
fae05b2314b147a78fbed1dc4c645d9a66313758
Fixed
3ec459c8810e658401be428d3168eacfc380bdd0
Fixed
8ba7b7c1dad1f6503c541778f31b33f7f62eb966
Fixed
c5402fb5f71f1a725f1e55d9c6799c0c7bec308f
Fixed
2505a981114dcb715f8977b8433f7540854851d8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49554.json"