CVE-2022-50323
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50323
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50323.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50323
- Downstream
- Related
- Published
- 2025-09-15T14:48:57Z
- Modified
- 2025-10-15T02:12:21.076161Z
- Summary
- net: do not sense pfmemalloc status in skb_append_pagefrags()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: do not sense pfmemalloc status in skbappendpagefrags()
skbappendpagefrags() is used by af_unix and udp sendpage() implementation so far.
In commit 326140063946 ("tcp: TX zerocopy should not sense pfmemalloc status") we explained why we should not sense pfmemalloc status for pages owned by user space.
We should also use skbfillpagedescnoacc() in skbappendpagefrags() to avoid following KCSAN report:
BUG: KCSAN: data-race in lruaddfn / skbappendpagefrags
write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0: _listadd include/linux/list.h:73 [inline] listadd include/linux/list.h:88 [inline] lruvecaddfolio include/linux/mminline.h:323 [inline] lruaddfn+0x327/0x410 mm/swap.c:228 foliobatchmovelru+0x1e1/0x2a0 mm/swap.c:246 lruadddraincpu+0x73/0x250 mm/swap.c:669 lruadddrain+0x21/0x60 mm/swap.c:773 freepagesandswapcache+0x16/0x70 mm/swapstate.c:311 tlbbatchpagesflush mm/mmugather.c:59 [inline] tlbflushmmufree mm/mmugather.c:256 [inline] tlbflushmmu+0x5b2/0x640 mm/mmugather.c:263 tlbfinishmmu+0x86/0x100 mm/mmugather.c:363 exitmmap+0x190/0x4d0 mm/mmap.c:3098 _mmput+0x27/0x1b0 kernel/fork.c:1185 mmput+0x3d/0x50 kernel/fork.c:1207 copyprocess+0x19fc/0x2100 kernel/fork.c:2518 kernelclone+0x166/0x550 kernel/fork.c:2671 _dosysclone kernel/fork.c:2812 [inline] _sesysclone kernel/fork.c:2796 [inline] _x64sysclone+0xc3/0xf0 kernel/fork.c:2796 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd
read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1: pageispfmemalloc include/linux/mm.h:1817 [inline] _skbfillpagedesc include/linux/skbuff.h:2432 [inline] skbfillpagedesc include/linux/skbuff.h:2453 [inline] skbappendpagefrags+0x210/0x600 net/core/skbuff.c:3974 unixstreamsendpage+0x45e/0x990 net/unix/afunix.c:2338 kernelsendpage+0x184/0x300 net/socket.c:3561 socksendpage+0x5a/0x70 net/socket.c:1054 pipetosendpage+0x128/0x160 fs/splice.c:361 splicefrompipefeed fs/splice.c:415 [inline] _splicefrompipe+0x222/0x4d0 fs/splice.c:559 splicefrompipe fs/splice.c:594 [inline] genericsplicesendpage+0x89/0xc0 fs/splice.c:743 dosplicefrom fs/splice.c:764 [inline] directspliceactor+0x80/0xa0 fs/splice.c:931 splicedirecttoactor+0x305/0x620 fs/splice.c:886 dosplicedirect+0xfb/0x180 fs/splice.c:974 dosendfile+0x3bf/0x910 fs/readwrite.c:1255 _dosyssendfile64 fs/readwrite.c:1323 [inline] _sesyssendfile64 fs/readwrite.c:1309 [inline] _x64syssendfile64+0x10c/0x150 fs/readwrite.c:1309 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd
value changed: 0x0000000000000000 -> 0xffffea00058fc188
Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8527c9a6bf8e54fef0a8d3d7d8874a48c725c915Fixed92b4c5c3fa810212da20088bcc6c0a77fc8607bd
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3261400639463a853ba2b3be8bd009c2a8089775Fixed847a2859814b31392340a2b16604b25afaa92dcc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3261400639463a853ba2b3be8bd009c2a8089775Fixed228ebc41dfab5b5d34cd76835ddb0ca8ee12f513
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6730c48ed6b0cd939fc9b30b2d621ce0b89bea83
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/core/skbuff.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"260960432732364209575552863867823151243",
"22147122852033877758915289072601016889",
"227815661762858330450857614641045761504",
"134879191580775201407442734840006036061"
],
"threshold": 0.9
},
"id": "CVE-2022-50323-052c9168",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@92b4c5c3fa810212da20088bcc6c0a77fc8607bd"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/core/skbuff.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"16086393648493714363349477459719007420",
"199434339268859463821151084965213347781",
"227815661762858330450857614641045761504",
"134879191580775201407442734840006036061"
],
"threshold": 0.9
},
"id": "CVE-2022-50323-4366f1c8",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@847a2859814b31392340a2b16604b25afaa92dcc"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/core/skbuff.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"16086393648493714363349477459719007420",
"199434339268859463821151084965213347781",
"227815661762858330450857614641045761504",
"134879191580775201407442734840006036061"
],
"threshold": 0.9
},
"id": "CVE-2022-50323-c4207af0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@228ebc41dfab5b5d34cd76835ddb0ca8ee12f513"
}
]
}