ghsa-3cwp-rh3m-h6g8
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

net: do not sense pfmemalloc status in skb_append_pagefrags()

skb_append_pagefrags() is used by af_unix and udp sendpage() implementation so far.

In commit 326140063946 ("tcp: TX zerocopy should not sense pfmemalloc status") we explained why we should not sense pfmemalloc status for pages owned by user space.

We should also use skb_fill_page_desc_noacc() in skb_append_pagefrags() to avoid following KCSAN report:

BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags

write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0: __list_add include/linux/list.h:73 [inline] list_add include/linux/list.h:88 [inline] lruvec_add_folio include/linux/mm_inline.h:323 [inline] lru_add_fn+0x327/0x410 mm/swap.c:228 folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246 lru_add_drain_cpu+0x73/0x250 mm/swap.c:669 lru_add_drain+0x21/0x60 mm/swap.c:773 free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:256 [inline] tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263 tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363 exit_mmap+0x190/0x4d0 mm/mmap.c:3098 __mmput+0x27/0x1b0 kernel/fork.c:1185 mmput+0x3d/0x50 kernel/fork.c:1207 copy_process+0x19fc/0x2100 kernel/fork.c:2518 kernel_clone+0x166/0x550 kernel/fork.c:2671 __do_sys_clone kernel/fork.c:2812 [inline] __se_sys_clone kernel/fork.c:2796 [inline] __x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1: page_is_pfmemalloc include/linux/mm.h:1817 [inline] __skb_fill_page_desc include/linux/skbuff.h:2432 [inline] skb_fill_page_desc include/linux/skbuff.h:2453 [inline] skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974 unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338 kernel_sendpage+0x184/0x300 net/socket.c:3561 sock_sendpage+0x5a/0x70 net/socket.c:1054 pipe_to_sendpage+0x128/0x160 fs/splice.c:361 splice_from_pipe_feed fs/splice.c:415 [inline] __splice_from_pipe+0x222/0x4d0 fs/splice.c:559 splice_from_pipe fs/splice.c:594 [inline] generic_splice_sendpage+0x89/0xc0 fs/splice.c:743 do_splice_from fs/splice.c:764 [inline] direct_splice_actor+0x80/0xa0 fs/splice.c:931 splice_direct_to_actor+0x305/0x620 fs/splice.c:886 do_splice_direct+0xfb/0x180 fs/splice.c:974 do_sendfile+0x3bf/0x910 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x0000000000000000 -> 0xffffea00058fc188

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50323"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:44Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not sense pfmemalloc status in skb_append_pagefrags()\n\nskb_append_pagefrags() is used by af_unix and udp sendpage()\nimplementation so far.\n\nIn commit 326140063946 (\"tcp: TX zerocopy should not sense\npfmemalloc status\") we explained why we should not sense\npfmemalloc status for pages owned by user space.\n\nWe should also use skb_fill_page_desc_noacc()\nin skb_append_pagefrags() to avoid following KCSAN report:\n\nBUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags\n\nwrite to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:323 [inline]\nlru_add_fn+0x327/0x410 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nlru_add_drain_cpu+0x73/0x250 mm/swap.c:669\nlru_add_drain+0x21/0x60 mm/swap.c:773\nfree_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311\ntlb_batch_pages_flush mm/mmu_gather.c:59 [inline]\ntlb_flush_mmu_free mm/mmu_gather.c:256 [inline]\ntlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263\ntlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363\nexit_mmap+0x190/0x4d0 mm/mmap.c:3098\n__mmput+0x27/0x1b0 kernel/fork.c:1185\nmmput+0x3d/0x50 kernel/fork.c:1207\ncopy_process+0x19fc/0x2100 kernel/fork.c:2518\nkernel_clone+0x166/0x550 kernel/fork.c:2671\n__do_sys_clone kernel/fork.c:2812 [inline]\n__se_sys_clone kernel/fork.c:2796 [inline]\n__x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1817 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2432 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2453 [inline]\nskb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974\nunix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1255\n__do_sys_sendfile64 fs/read_write.c:1323 [inline]\n__se_sys_sendfile64 fs/read_write.c:1309 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -\u003e 0xffffea00058fc188\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022",
  "id": "GHSA-3cwp-rh3m-h6g8",
  "modified": "2025-09-15T15:31:27Z",
  "published": "2025-09-15T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/228ebc41dfab5b5d34cd76835ddb0ca8ee12f513"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/847a2859814b31392340a2b16604b25afaa92dcc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92b4c5c3fa810212da20088bcc6c0a77fc8607bd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.