| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120948-CVE-2022-50676-1387@gregkh>
Date: Tue, 9 Dec 2025 10:31:01 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50676: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for
commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in
rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section
protected by lock_sock() without realizing that rds_send_xmit() might call
lock_sock().
We don't need to protect cancel_delayed_work_sync() using lock_sock(), for
even if rds_{send,recv}_worker() re-queued this work while __flush_work()
from cancel_delayed_work_sync() was waiting for this work to complete,
retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP
bit.
The Linux kernel CVE team has assigned CVE-2022-50676 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 4.9.331 with commit 5d2ba255e93211e541373469dffbda7c99dfa0e5
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 4.14.296 with commit 2425007c0967a7c04b0dee7cce05ecf0ca869ad1
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 4.19.262 with commit e3cb25d3ad08f5dbd53ce2b31720cad529944322
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 5.4.220 with commit 360aa7219285fac63dab99706a16f2daf3222abe
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 5.10.150 with commit da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 5.15.75 with commit 30bfa5aa7228eb1e67663d67e553627e572cc717
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 5.19.17 with commit c380c28ab9b15fc53565909c814f6dd3e7f77c4b
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 6.0.3 with commit afe7053c390fe8ff27d0c2ceaece5625283044ba
Issue introduced in 4.8 with commit ac3615e7f3cffe2a1a6b25172dfd09e138593d82 and fixed in 6.1 with commit a91b750fd6629354460282bbf5146c01b05c4859
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50676
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/rds/tcp.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5d2ba255e93211e541373469dffbda7c99dfa0e5
https://git.kernel.org/stable/c/2425007c0967a7c04b0dee7cce05ecf0ca869ad1
https://git.kernel.org/stable/c/e3cb25d3ad08f5dbd53ce2b31720cad529944322
https://git.kernel.org/stable/c/360aa7219285fac63dab99706a16f2daf3222abe
https://git.kernel.org/stable/c/da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c
https://git.kernel.org/stable/c/30bfa5aa7228eb1e67663d67e553627e572cc717
https://git.kernel.org/stable/c/c380c28ab9b15fc53565909c814f6dd3e7f77c4b
https://git.kernel.org/stable/c/afe7053c390fe8ff27d0c2ceaece5625283044ba
https://git.kernel.org/stable/c/a91b750fd6629354460282bbf5146c01b05c4859
Powered by blists - more mailing lists