CVE-2022-50335 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8
https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9
https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af
https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: 9p: set req refcount to zero to avoid uninitialized usage When a new request is allocated, the refcount will be zero if it is reused, but if the request is newly allocated from slab, it is not fully initialized before being added to idr. If the p9_read_work got a response before the refcount initiated. It will use a uninitialized req, which will result in a bad request data struct. Here is the logs from syzbot. Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 0x00 0x00 . . . . . . . . ] (in kfence-#110): p9_fcall_fini net/9p/client.c:248 [inline] p9_req_put net/9p/client.c:396 [inline] p9_req_put+0x208/0x250 net/9p/client.c:390 p9_client_walk+0x247/0x540 net/9p/client.c:1165 clone_fid fs/9p/fid.h:21 [inline] v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 v9fs_xattr_set fs/9p/xattr.c:100 [inline] v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 __vfs_setxattr+0x119/0x180 fs/xattr.c:182 __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 vfs_setxattr+0x143/0x340 fs/xattr.c:309 setxattr+0x146/0x160 fs/xattr.c:617 path_setxattr+0x197/0x1c0 fs/xattr.c:636 __do_sys_setxattr fs/xattr.c:652 [inline] __se_sys_setxattr fs/xattr.c:648 [inline] __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Below is a similar scenario, the scenario in the syzbot log looks more complicated than this one, but this patch can fix it. T21124 p9_read_work ======================== second trans ================================= p9_client_walk p9_client_rpc p9_client_prepare_req p9_tag_alloc req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); tag = idr_alloc << preempted >> req->tc.tag = tag; /* req->[refcount/tag] == uninitialized / m->rreq = p9_tag_lookup(m->client, m->rc.tag); / increments uninitalized refcount / refcount_set(&req->refcount, 2); / cb drops one ref / p9_client_cb(req) / reader thread drops its ref: request is incorrectly freed / p9_req_put(req) / use after free and ref underflow */ p9_req_put(req) To fix it, we can initialize the refcount to zero before add to idr.
Title		9p: set req refcount to zero to avoid uninitialized usage
References		https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8 https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9 https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50335", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T14:18:36.816Z", "datePublished": "2025-09-15T14:49:50.150Z", "dateUpdated": "2025-09-15T14:49:50.150Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:49:50.150Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: set req refcount to zero to avoid uninitialized usage\n\nWhen a new request is allocated, the refcount will be zero if it is\nreused, but if the request is newly allocated from slab, it is not fully\ninitialized before being added to idr.\n\nIf the p9_read_work got a response before the refcount initiated. It will\nuse a uninitialized req, which will result in a bad request data struct.\n\nHere is the logs from syzbot.\n\nCorrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00\n0x00 0x00 . . . . . . . . ] (in kfence-#110):\n p9_fcall_fini net/9p/client.c:248 [inline]\n p9_req_put net/9p/client.c:396 [inline]\n p9_req_put+0x208/0x250 net/9p/client.c:390\n p9_client_walk+0x247/0x540 net/9p/client.c:1165\n clone_fid fs/9p/fid.h:21 [inline]\n v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118\n v9fs_xattr_set fs/9p/xattr.c:100 [inline]\n v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159\n __vfs_setxattr+0x119/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277\n vfs_setxattr+0x143/0x340 fs/xattr.c:309\n setxattr+0x146/0x160 fs/xattr.c:617\n path_setxattr+0x197/0x1c0 fs/xattr.c:636\n __do_sys_setxattr fs/xattr.c:652 [inline]\n __se_sys_setxattr fs/xattr.c:648 [inline]\n __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nBelow is a similar scenario, the scenario in the syzbot log looks more\ncomplicated than this one, but this patch can fix it.\n\n T21124 p9_read_work\n======================== second trans =================================\np9_client_walk\n p9_client_rpc\n p9_client_prepare_req\n p9_tag_alloc\n req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);\n tag = idr_alloc\n << preempted >>\n req->tc.tag = tag;\n /* req->[refcount/tag] == uninitialized */\n m->rreq = p9_tag_lookup(m->client, m->rc.tag);\n /* increments uninitalized refcount */\n\n refcount_set(&req->refcount, 2);\n /* cb drops one ref */\n p9_client_cb(req)\n /* reader thread drops its ref:\n request is incorrectly freed */\n p9_req_put(req)\n /* use after free and ref underflow */\n p9_req_put(req)\n\nTo fix it, we can initialize the refcount to zero before add to idr."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/9p/client.c"], "versions": [{"version": "728356dedeff8ef999cb436c71333ef4ac51a81c", "lessThan": "1cabce56626a61f4f02452cba61ad4332a4b73f8", "status": "affected", "versionType": "git"}, {"version": "728356dedeff8ef999cb436c71333ef4ac51a81c", "lessThan": "73c47b3123b351de2d3714a72a336c0f72f203af", "status": "affected", "versionType": "git"}, {"version": "728356dedeff8ef999cb436c71333ef4ac51a81c", "lessThan": "967fc34f297e40fd2e068cf6b0c3eb4916228539", "status": "affected", "versionType": "git"}, {"version": "728356dedeff8ef999cb436c71333ef4ac51a81c", "lessThan": "26273ade77f54716e30dfd40ac6e85ceb54ac0f9", "status": "affected", "versionType": "git"}, {"version": "3665a4d9dca1bd06bc34afb72e637fe01b2776ee", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/9p/client.c"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.86", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.16", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.2", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.15.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.0.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.1.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.57"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8"}, {"url": "https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af"}, {"url": "https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539"}, {"url": "https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9"}], "title": "9p: set req refcount to zero to avoid uninitialized usage", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: set req refcount to zero to avoid uninitialized usage\n\nWhen a new request is allocated, the refcount will be zero if it is\nreused, but if the request is newly allocated from slab, it is not fully\ninitialized before being added to idr.\n\nIf the p9_read_work got a response before the refcount initiated. It will\nuse a uninitialized req, which will result in a bad request data struct.\n\nHere is the logs from syzbot.\n\nCorrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00\n0x00 0x00 . . . . . . . . ] (in kfence-#110):\n p9_fcall_fini net/9p/client.c:248 [inline]\n p9_req_put net/9p/client.c:396 [inline]\n p9_req_put+0x208/0x250 net/9p/client.c:390\n p9_client_walk+0x247/0x540 net/9p/client.c:1165\n clone_fid fs/9p/fid.h:21 [inline]\n v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118\n v9fs_xattr_set fs/9p/xattr.c:100 [inline]\n v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159\n __vfs_setxattr+0x119/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277\n vfs_setxattr+0x143/0x340 fs/xattr.c:309\n setxattr+0x146/0x160 fs/xattr.c:617\n path_setxattr+0x197/0x1c0 fs/xattr.c:636\n __do_sys_setxattr fs/xattr.c:652 [inline]\n __se_sys_setxattr fs/xattr.c:648 [inline]\n __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nBelow is a similar scenario, the scenario in the syzbot log looks more\ncomplicated than this one, but this patch can fix it.\n\n T21124 p9_read_work\n======================== second trans =================================\np9_client_walk\n p9_client_rpc\n p9_client_prepare_req\n p9_tag_alloc\n req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);\n tag = idr_alloc\n << preempted >>\n req->tc.tag = tag;\n /* req->[refcount/tag] == uninitialized */\n m->rreq = p9_tag_lookup(m->client, m->rc.tag);\n /* increments uninitalized refcount */\n\n refcount_set(&req->refcount, 2);\n /* cb drops one ref */\n p9_client_cb(req)\n /* reader thread drops its ref:\n request is incorrectly freed */\n p9_req_put(req)\n /* use after free and ref underflow */\n p9_req_put(req)\n\nTo fix it, we can initialize the refcount to zero before add to idr."}], "id": "CVE-2022-50335", "lastModified": "2025-09-15T15:22:27.090", "metrics": {}, "published": "2025-09-15T15:15:45.817", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object