CVE-2022-50335

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50335
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50335.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50335
Downstream
Published
2025-09-15T14:49:50.150Z
Modified
2026-04-02T08:28:25.352561Z
Summary
9p: set req refcount to zero to avoid uninitialized usage
Details

In the Linux kernel, the following vulnerability has been resolved:

9p: set req refcount to zero to avoid uninitialized usage

When a new request is allocated, the refcount will be zero if it is reused, but if the request is newly allocated from slab, it is not fully initialized before being added to idr.

If the p9readwork got a response before the refcount initiated. It will use a uninitialized req, which will result in a bad request data struct.

Here is the logs from syzbot.

Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 0x00 0x00 . . . . . . . . ] (in kfence-#110): p9fcallfini net/9p/client.c:248 [inline] p9reqput net/9p/client.c:396 [inline] p9reqput+0x208/0x250 net/9p/client.c:390 p9clientwalk+0x247/0x540 net/9p/client.c:1165 clonefid fs/9p/fid.h:21 [inline] v9fsfidxattrset+0xe4/0x2b0 fs/9p/xattr.c:118 v9fsxattrset fs/9p/xattr.c:100 [inline] v9fsxattrhandler_set+0x6f/0x120 fs/9p/xattr.c:159 __vfs_setxattr+0x119/0x180 fs/xattr.c:182 __vfssetxattrnoperm+0x129/0x5f0 fs/xattr.c:216 __vfssetxattrlocked+0x1d3/0x260 fs/xattr.c:277 vfssetxattr+0x143/0x340 fs/xattr.c:309 setxattr+0x146/0x160 fs/xattr.c:617 pathsetxattr+0x197/0x1c0 fs/xattr.c:636 __dosyssetxattr fs/xattr.c:652 [inline] __sesyssetxattr fs/xattr.c:648 [inline] __ia32syssetxattr+0xc0/0x160 fs/xattr.c:648 dosyscall32irqson arch/x86/entry/common.c:112 [inline] __dofastsyscall32+0x65/0xf0 arch/x86/entry/common.c:178 dofastsyscall32+0x33/0x70 arch/x86/entry/common.c:203 entrySYSENTERcompatafterhwframe+0x70/0x82

Below is a similar scenario, the scenario in the syzbot log looks more complicated than this one, but this patch can fix it.

 T21124                   p9_read_work

======================== second trans ================================= p9clientwalk p9clientrpc p9clientpreparereq p9tagalloc req = kmemcachealloc(p9reqcache, GFPNOFS); tag = idralloc << preempted >> req->tc.tag = tag; /* req->[refcount/tag] == uninitialized */ m->rreq = p9tag_lookup(m->client, m->rc.tag); /* increments uninitalized refcount */

    refcount_set(&req->refcount, 2);
                        /* cb drops one ref */
                        p9_client_cb(req)
                        /* reader thread drops its ref:
                           request is incorrectly freed */
                        p9_req_put(req)
/* use after free and ref underflow */
p9_req_put(req)

To fix it, we can initialize the refcount to zero before add to idr.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50335.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
728356dedeff8ef999cb436c71333ef4ac51a81c
Fixed
1cabce56626a61f4f02452cba61ad4332a4b73f8
Fixed
73c47b3123b351de2d3714a72a336c0f72f203af
Fixed
967fc34f297e40fd2e068cf6b0c3eb4916228539
Fixed
26273ade77f54716e30dfd40ac6e85ceb54ac0f9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3665a4d9dca1bd06bc34afb72e637fe01b2776ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50335.json"