CVE-2022-49765

MEDIUM

Linux Kernel < 5.15.80, 5.16.0-6.0.10, >=6.1 - Improper Locking in 9P Transport

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: net/9p: use a dedicated spinlock for trans_fd Shamelessly copying the explanation from Tetsuo Handa's suggested patch[1] (slightly reworded): syzbot is reporting inconsistent lock state in p9_req_put()[2], for p9_tag_remove() from p9_req_put() from IRQ context is using spin_lock_irqsave() on "struct p9_client"->lock but trans_fd (not from IRQ context) is using spin_lock(). Since the locks actually protect different things in client.c and in trans_fd.c, just replace trans_fd.c's lock by a new one specific to the transport (client.c's protect the idr for fid/tag allocations, while trans_fd.c's protects its own req list and request status field that acts as the transport's state machine)

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/43bbadb7e4636dc02f6a283c2a39e6438e6173cd

Patch

https://git.kernel.org/stable/c/717b9b4f38703d7f5293059e3a242d16f76fa045

Patch

https://git.kernel.org/stable/c/296ab4a813841ba1d5f40b03190fd1bd8f25aab0

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 2.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-667

Status published

Products (11)

linux/Kernel 2.6.28 - 5.15.80linux

linux/Kernel 5.16.0 - 6.0.10linux

Linux/Linux < 2.6.28

Linux/Linux 2.6.28

Linux/Linux 5.15.80 - 5.15.*

Linux/Linux 6.0.10 - 6.0.*

Linux/Linux 6.1

Linux/Linux 673d62cdaac6ffbce980a349d3174b3929ceb9e5 - 296ab4a813841ba1d5f40b03190fd1bd8f25aab0

Linux/Linux 673d62cdaac6ffbce980a349d3174b3929ceb9e5 - 43bbadb7e4636dc02f6a283c2a39e6438e6173cd

Linux/Linux 673d62cdaac6ffbce980a349d3174b3929ceb9e5 - 717b9b4f38703d7f5293059e3a242d16f76fa045

... and 1 more

Published May 01, 2025

Tracked Since Feb 18, 2026