lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025122452-CVE-2022-50751-b5ed@gregkh>
Date: Wed, 24 Dec 2025 14:06:02 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50751: configfs: fix possible memory leak in configfs_create_dir()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

configfs: fix possible memory leak in configfs_create_dir()

kmemleak reported memory leaks in configfs_create_dir():

unreferenced object 0xffff888009f6af00 (size 192):
  comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
  backtrace:
    kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
    new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)
    configfs_register_subsystem (fs/configfs/dir.c:1857)
    basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
    do_one_initcall (init/main.c:1296)
    do_init_module (kernel/module/main.c:2455)
    ...

unreferenced object 0xffff888003ba7180 (size 96):
  comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
  backtrace:
    kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
    configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)
    configfs_make_dirent (fs/configfs/dir.c:248)
    configfs_create_dir (fs/configfs/dir.c:296)
    configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)
    configfs_register_subsystem (fs/configfs/dir.c:1881)
    basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
    do_one_initcall (init/main.c:1296)
    do_init_module (kernel/module/main.c:2455)
    ...

This is because the refcount is not correct in configfs_make_dirent().
For normal stage, the refcount is changing as:

configfs_register_subsystem()
  configfs_create_dir()
    configfs_make_dirent()
      configfs_new_dirent() # set s_count = 1
      dentry->d_fsdata = configfs_get(sd); # s_count = 2
...
configfs_unregister_subsystem()
  configfs_remove_dir()
    remove_dir()
      configfs_remove_dirent() # s_count = 1
    dput() ...
      *dentry_unlink_inode()*
        configfs_d_iput() # s_count = 0, release

However, if we failed in configfs_create():

configfs_register_subsystem()
  configfs_create_dir()
    configfs_make_dirent() # s_count = 2
    ...
    configfs_create() # fail
    ->out_remove:
    configfs_remove_dirent(dentry)
      configfs_put(sd) # s_count = 1
      return PTR_ERR(inode);

There is no inode in the error path, so the configfs_d_iput() is lost
and makes sd and fragment memory leaked.

To fix this, when we failed in configfs_create(), manually call
configfs_put(sd) to keep the refcount correct.

The Linux kernel CVE team has assigned CVE-2022-50751 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 5.4.229 with commit 90c38f57a821499391526b15cc944c265bd24e48
	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 5.10.163 with commit 74ac7c9ee2d486c501e7864c903f5098fc477acd
	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 5.15.86 with commit 07f82dca112262b169bec0001378126439cab776
	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 6.0.16 with commit 8bc77754224a2c8581727ffe2e958119b4e27c8f
	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 6.1.2 with commit c72eb6e6e49a71f7598740786568fafdd013a227
	Issue introduced in 2.6.16 with commit 7063fbf2261194f72ee75afca67b3b38b554b5fa and fixed in 6.2 with commit c65234b283a65cfbfc94619655e820a5e55199eb

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50751
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/configfs/dir.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48
	https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd
	https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776
	https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f
	https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227
	https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ