CVE-2022-50421

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50421
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50421.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50421
Downstream
Published
2025-10-01T11:41:54Z
Modified
2025-10-21T12:52:11.554609Z
Summary
rpmsg: char: Avoid double destroy of default endpoint
Details

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: char: Avoid double destroy of default endpoint

The rpmsgdevremove() in rpmsg_core is the place for releasing this default endpoint.

So need to avoid destroying the default endpoint in rpmsgchrdeveptdevdestroy(), this should be the same as rpmsgeptdev_release(). Otherwise there will be double destroy issue that ept->refcount report warning:

refcount_t: underflow; use-after-free.

Call trace: refcountwarnsaturate+0xf8/0x150 virtiorpmsgdestroyept+0xd4/0xec rpmsgdev_remove+0x60/0x70

The issue can be reproduced by stopping remoteproc before closing the /dev/rpmsgX.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bea9b79c2d10fecf7bfa26e212ecefe61d232e39
Fixed
ef828a39d6a7028836eaf37df3ad568c8c2dd6f9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bea9b79c2d10fecf7bfa26e212ecefe61d232e39
Fixed
3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bea9b79c2d10fecf7bfa26e212ecefe61d232e39
Fixed
467233a4ac29b215d492843d067a9f091e6bf0c5

Affected versions

v5.*

v5.17
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.10
v5.19.11
v5.19.12
v5.19.13
v5.19.14
v5.19.15
v5.19.16
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-50421-15d20137",
        "target": {
            "function": "rpmsg_chrdev_eptdev_destroy",
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb",
        "signature_type": "Function",
        "digest": {
            "function_hash": "67806604135756741912738740695147545156",
            "length": 338.0
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "id": "CVE-2022-50421-6e2a71b2",
        "target": {
            "function": "rpmsg_chrdev_eptdev_destroy",
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef828a39d6a7028836eaf37df3ad568c8c2dd6f9",
        "signature_type": "Function",
        "digest": {
            "function_hash": "67806604135756741912738740695147545156",
            "length": 338.0
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "id": "CVE-2022-50421-7012e308",
        "target": {
            "function": "rpmsg_chrdev_eptdev_destroy",
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@467233a4ac29b215d492843d067a9f091e6bf0c5",
        "signature_type": "Function",
        "digest": {
            "function_hash": "67806604135756741912738740695147545156",
            "length": 338.0
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "id": "CVE-2022-50421-752f62bb",
        "target": {
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "282460863745932472355555463131454235662",
                "31349249219595669565506758156419737028",
                "39643949646227735841169270447377374033",
                "7774210440371439177215656698786097700"
            ]
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "id": "CVE-2022-50421-94df40fe",
        "target": {
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@467233a4ac29b215d492843d067a9f091e6bf0c5",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "282460863745932472355555463131454235662",
                "31349249219595669565506758156419737028",
                "39643949646227735841169270447377374033",
                "7774210440371439177215656698786097700"
            ]
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "id": "CVE-2022-50421-c43933e8",
        "target": {
            "file": "drivers/rpmsg/rpmsg_char.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef828a39d6a7028836eaf37df3ad568c8c2dd6f9",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "282460863745932472355555463131454235662",
                "31349249219595669565506758156419737028",
                "39643949646227735841169270447377374033",
                "7774210440371439177215656698786097700"
            ]
        },
        "deprecated": false,
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
5.19.17
Type
ECOSYSTEM
Events
Introduced
5.20.0
Fixed
6.0.3