{"id":"CVE-2022-50409","summary":"net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n [...]\n [ 14.471200] Call Trace:\n [ 14.471562] \u003cTASK\u003e\n [ 14.471882] lock_acquire+0x245/0x2e0\n [ 14.472416] ? remove_wait_queue+0x12/0x50\n [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50\n [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50\n [ 14.474318] ? remove_wait_queue+0x12/0x50\n [ 14.474907] remove_wait_queue+0x12/0x50\n [ 14.475480] sk_stream_wait_memory+0x20d/0x340\n [ 14.476127] ? do_wait_intr_irq+0x80/0x80\n [ 14.476704] do_tcp_sendpages+0x287/0x600\n [ 14.477283] tcp_bpf_push+0xab/0x260\n [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500\n [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0\n [ 14.479096] tcp_bpf_send_verdict+0x105/0x470\n [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0\n [ 14.480311] sock_sendmsg+0x2d/0x40\n [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0\n [ 14.481390] ? copy_msghdr_from_user+0x62/0x80\n [ 14.482048] ___sys_sendmsg+0x78/0xb0\n [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150\n [ 14.483215] ? __do_fault+0x2a/0x1a0\n [ 14.483738] ? do_fault+0x15e/0x5d0\n [ 14.484246] ? __handle_mm_fault+0x56b/0x1040\n [ 14.484874] ? lock_is_held_type+0xdf/0x130\n [ 14.485474] ? find_held_lock+0x2d/0x90\n [ 14.486046] ? __sys_sendmsg+0x41/0x70\n [ 14.486587] __sys_sendmsg+0x41/0x70\n [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350\n [ 14.487822] do_syscall_64+0x34/0x80\n [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n\nThe test scenario has the following flow:\n\nthread1 thread2\n----------- ---------------\n tcp_bpf_sendmsg\n tcp_bpf_send_verdict\n tcp_bpf_sendmsg_redir sock_close\n tcp_bpf_push_locked __sock_release\n tcp_bpf_push //inet_release\n do_tcp_sendpages sock-\u003eops-\u003erelease\n sk_stream_wait_memory \t // tcp_close\n sk_wait_event sk-\u003esk_prot-\u003eclose\n release_sock(__sk);\n ***\n lock_sock(sk);\n __tcp_close\n sock_orphan(sk)\n sk-\u003esk_wq = NULL\n release_sock\n ****\n lock_sock(__sk);\n remove_wait_queue(sk_sleep(sk), &wait);\n sk_sleep(sk)\n //NULL pointer dereference\n &rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn't increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue.","modified":"2026-04-11T12:44:57.183216Z","published":"2025-09-18T16:03:53.902Z","related":["SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4315-1","SUSE-SU-2026:0154-1","SUSE-SU-2026:0155-1","SUSE-SU-2026:0163-1","SUSE-SU-2026:0166-1","SUSE-SU-2026:0168-1","SUSE-SU-2026:0173-1","SUSE-SU-2026:0174-1","SUSE-SU-2026:0176-1","SUSE-SU-2026:0180-1","SUSE-SU-2026:0184-1","SUSE-SU-2026:0186-1","SUSE-SU-2026:0187-1","SUSE-SU-2026:0191-1","SUSE-SU-2026:0206-1","SUSE-SU-2026:0246-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50409.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50409.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50409"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"604326b41a6fb9b4a78b6179335decee0365cd8c"},{"fixed":"a76462dbdd8bddcbeec9463bc9e54e509b860762"},{"fixed":"65029aaedd15d9fe5ea1a899134e236d83f627bb"},{"fixed":"124b7c773271f06af5a2cea694b283cdb5275cf5"},{"fixed":"35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"},{"fixed":"435f5aa4421782af197b98d8525263977be4af5c"},{"fixed":"3f8ef65af927db247418d4e1db49164d7a158fc5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50409.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.220"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.150"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.19.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.20.0"},{"fixed":"6.0.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50409.json"}}],"schema_version":"1.7.5"}