{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50459","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-01T11:38:45.640Z","datePublished":"2025-10-01T11:45:31.740Z","dateUpdated":"2026-05-11T19:19:51.823Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:19:51.823Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()\n\nFix a NULL pointer crash that occurs when we are freeing the socket at the\nsame time we access it via sysfs.\n\nThe problem is that:\n\n 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take\n    the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()\n    does a get on the \"struct sock\".\n\n 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put\n    on the \"struct socket\" and that does __sock_release() which sets the\n    sock->ops to NULL.\n\n 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then\n    call kernel_getpeername() which accesses the NULL sock->ops.\n\nAbove we do a get on the \"struct sock\", but we needed a get on the \"struct\nsocket\". Originally, we just held the frwd_lock the entire time but in\ncommit bcf3a2953d36 (\"scsi: iscsi: iscsi_tcp: Avoid holding spinlock while\ncalling getpeername()\") we switched to refcount based because the network\nlayer changed and started taking a mutex in that path, so we could no\nlonger hold the frwd_lock.\n\nInstead of trying to maintain multiple refcounts, this just has us use a\nmutex for accessing the socket in the interface code paths."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/iscsi_tcp.c","drivers/scsi/iscsi_tcp.h"],"versions":[{"version":"bcf3a2953d36bbfb9bd44ccb3db0897d935cc485","lessThan":"884a788f065578bb640382279a83d1df433b13e6","status":"affected","versionType":"git"},{"version":"bcf3a2953d36bbfb9bd44ccb3db0897d935cc485","lessThan":"a26b0658751bb0a3b28386fca715333b104d32a2","status":"affected","versionType":"git"},{"version":"bcf3a2953d36bbfb9bd44ccb3db0897d935cc485","lessThan":"897dbbc57d71e8a34ec1af8e573a142de457da38","status":"affected","versionType":"git"},{"version":"bcf3a2953d36bbfb9bd44ccb3db0897d935cc485","lessThan":"0a0b861fce2657ba08ec356a74346b37ca4b2008","status":"affected","versionType":"git"},{"version":"bcf3a2953d36bbfb9bd44ccb3db0897d935cc485","lessThan":"57569c37f0add1b6489e1a1563c71519daf732cf","status":"affected","versionType":"git"},{"version":"7d29e950766327f658cb92722b9445ac3b3ae023","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/iscsi_tcp.c","drivers/scsi/iscsi_tcp.h"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.10.150","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.75","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.17","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0.3","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.19.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6"},{"url":"https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2"},{"url":"https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38"},{"url":"https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008"},{"url":"https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf"}],"title":"scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()","x_generator":{"engine":"bippy-1.2.0"}}}}