{"id":"CVE-2022-48649","summary":"mm/slab_common: fix possible double free of kmem_cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu'\nkunit test case cause a use-after-free error:\n\n  BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n  Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n  CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G    B            N 6.0.0-rc5-next-20220916 #17\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x34/0x48\n   print_address_description.constprop.0+0x87/0x2a5\n   print_report+0x103/0x1ed\n   kasan_report+0xb7/0x140\n   kobject_del+0x14/0x30\n   kmem_cache_destroy+0x130/0x170\n   test_exit+0x1a/0x30\n   kunit_try_run_case+0xad/0xc0\n   kunit_generic_run_threadfn_adapter+0x26/0x50\n   kthread+0x17b/0x1b0\n   \u003c/TASK\u003e\n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n    acquire lock/mutex\n    shutdown_cache\n        schedule_work(kmem_cache_release) (if RCU flag set)\n    release lock/mutex\n    kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like 'refcnt'","modified":"2026-04-11T12:41:16.172642Z","published":"2024-04-28T13:00:33.390Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48649.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48649.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48649"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"357321557920c805de2b14832002465c320eea4f"},{"fixed":"c673c6ceac53fb2e631c9fbbd79957099a08927f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0495e337b7039191dfce6e03f5f830454b1fae6b"},{"fixed":"d71608a877362becdc94191f190902fac1e64d35"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.8"},{"fixed":"5.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json"}}],"schema_version":"1.7.5"}