{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50555","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-07T15:15:38.669Z","datePublished":"2025-10-07T15:21:16.179Z","dateUpdated":"2026-05-11T19:21:41.347Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:21:41.347Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a null-ptr-deref in tipc_topsrv_accept\n\nsyzbot found a crash in tipc_topsrv_accept:\n\n  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n  Workqueue: tipc_rcv tipc_topsrv_accept\n  RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487\n  Call Trace:\n   <TASK>\n   tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460\n   process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n   worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n   kthread+0x2e4/0x3a0 kernel/kthread.c:376\n   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nIt was caused by srv->listener that might be set to null by\ntipc_topsrv_stop() in net .exit whereas it's still used in\ntipc_topsrv_accept() worker.\n\nsrv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add\na check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to\navoid the null-ptr-deref. To ensure the lsock is not released during the\ntipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()\nwhere it's waiting until the tipc_topsrv_accept worker to be done.\n\nNote that sk_callback_lock is used to protect sk->sk_user_data instead of\nsrv->listener, and it should check srv in tipc_topsrv_listener_data_ready()\ninstead. This also ensures that no more tipc_topsrv_accept worker will be\nstarted after tipc_conn_close() is called in tipc_topsrv_stop() where it\nsets sk->sk_user_data to null."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/topsrv.c"],"versions":[{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"ce69bdac2310152bb70845024d5d704c52aabfc3","status":"affected","versionType":"git"},{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"24b129aed8730e48f47d852d58d76825ab6f407c","status":"affected","versionType":"git"},{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"32a3d4660b34ce49ac0162338ebe362098e2f5df","status":"affected","versionType":"git"},{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"7a939503fc32bff4ed60800b73ff7fbb4aea2142","status":"affected","versionType":"git"},{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"cedb41664e27b2cae7e21487f1bee22dcd84037d","status":"affected","versionType":"git"},{"version":"0ef897be12b8b4cf297b6016e79ec97ec90f2cf6","lessThan":"82cb4e4612c633a9ce320e1773114875604a3cce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/topsrv.c"],"versions":[{"version":"4.17","status":"affected"},{"version":"0","lessThan":"4.17","status":"unaffected","versionType":"semver"},{"version":"4.19.264","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.223","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.153","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.77","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.7","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"4.19.264"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.4.223"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.10.153"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.15.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3"},{"url":"https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c"},{"url":"https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df"},{"url":"https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142"},{"url":"https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d"},{"url":"https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce"}],"title":"tipc: fix a null-ptr-deref in tipc_topsrv_accept","x_generator":{"engine":"bippy-1.2.0"}}}}