{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50335","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-15T14:18:36.816Z","datePublished":"2025-09-15T14:49:50.150Z","dateUpdated":"2026-05-11T19:17:27.944Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:17:27.944Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\n9p: set req refcount to zero to avoid uninitialized usage\n\nWhen a new request is allocated, the refcount will be zero if it is\nreused, but if the request is newly allocated from slab, it is not fully\ninitialized before being added to idr.\n\nIf the p9_read_work got a response before the refcount initiated. It will\nuse a uninitialized req, which will result in a bad request data struct.\n\nHere is the logs from syzbot.\n\nCorrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00\n0x00 0x00 . . . . . . . . ] (in kfence-#110):\n p9_fcall_fini net/9p/client.c:248 [inline]\n p9_req_put net/9p/client.c:396 [inline]\n p9_req_put+0x208/0x250 net/9p/client.c:390\n p9_client_walk+0x247/0x540 net/9p/client.c:1165\n clone_fid fs/9p/fid.h:21 [inline]\n v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118\n v9fs_xattr_set fs/9p/xattr.c:100 [inline]\n v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159\n __vfs_setxattr+0x119/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277\n vfs_setxattr+0x143/0x340 fs/xattr.c:309\n setxattr+0x146/0x160 fs/xattr.c:617\n path_setxattr+0x197/0x1c0 fs/xattr.c:636\n __do_sys_setxattr fs/xattr.c:652 [inline]\n __se_sys_setxattr fs/xattr.c:648 [inline]\n __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nBelow is a similar scenario, the scenario in the syzbot log looks more\ncomplicated than this one, but this patch can fix it.\n\n     T21124                   p9_read_work\n======================== second trans =================================\np9_client_walk\n  p9_client_rpc\n    p9_client_prepare_req\n      p9_tag_alloc\n        req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);\n        tag = idr_alloc\n        << preempted >>\n        req->tc.tag = tag;\n                            /* req->[refcount/tag] == uninitialized */\n                            m->rreq = p9_tag_lookup(m->client, m->rc.tag);\n                              /* increments uninitalized refcount */\n\n        refcount_set(&req->refcount, 2);\n                            /* cb drops one ref */\n                            p9_client_cb(req)\n                            /* reader thread drops its ref:\n                               request is incorrectly freed */\n                            p9_req_put(req)\n    /* use after free and ref underflow */\n    p9_req_put(req)\n\nTo fix it, we can initialize the refcount to zero before add to idr."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/9p/client.c"],"versions":[{"version":"728356dedeff8ef999cb436c71333ef4ac51a81c","lessThan":"1cabce56626a61f4f02452cba61ad4332a4b73f8","status":"affected","versionType":"git"},{"version":"728356dedeff8ef999cb436c71333ef4ac51a81c","lessThan":"73c47b3123b351de2d3714a72a336c0f72f203af","status":"affected","versionType":"git"},{"version":"728356dedeff8ef999cb436c71333ef4ac51a81c","lessThan":"967fc34f297e40fd2e068cf6b0c3eb4916228539","status":"affected","versionType":"git"},{"version":"728356dedeff8ef999cb436c71333ef4ac51a81c","lessThan":"26273ade77f54716e30dfd40ac6e85ceb54ac0f9","status":"affected","versionType":"git"},{"version":"3665a4d9dca1bd06bc34afb72e637fe01b2776ee","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/9p/client.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.15.86","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.2","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.57"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1cabce56626a61f4f02452cba61ad4332a4b73f8"},{"url":"https://git.kernel.org/stable/c/73c47b3123b351de2d3714a72a336c0f72f203af"},{"url":"https://git.kernel.org/stable/c/967fc34f297e40fd2e068cf6b0c3eb4916228539"},{"url":"https://git.kernel.org/stable/c/26273ade77f54716e30dfd40ac6e85ceb54ac0f9"}],"title":"9p: set req refcount to zero to avoid uninitialized usage","x_generator":{"engine":"bippy-1.2.0"}}}}