{"id":"CVE-2022-50661","summary":"seccomp: Move copy_seccomp() to no failure path.","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: Move copy_seccomp() to no failure path.\n\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1].  It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\n\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\n\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process().  When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space.  In the failure path, we have to call seccomp_filter_release()\nto decrement the filter's refcount.\n\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\n\nTo keep the change and current seccomp refcount semantics, let's move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\n  hex dump (first 32 bytes):\n    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................\n    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................\n  backtrace:\n    do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    __vmalloc_node_range (mm/vmalloc.c:3226)\n    __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\n    bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\n    bpf_prog_alloc (kernel/bpf/core.c:129)\n    bpf_prog_create_from_user (net/core/filter.c:1414)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\n    bpf_prog_alloc (kernel/bpf/core.c:129)\n    bpf_prog_create_from_user (net/core/filter.c:1414)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 16 bytes):\n    01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff  ..7.verl........\n  backtrace:\n    bpf_prog_store_orig_filter (net/core/filter.c:1137)\n    bpf_prog_create_from_user (net/core/filter.c:1428)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---","modified":"2026-04-02T08:28:41.601056Z","published":"2025-12-09T01:29:09.498Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50661.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50661.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50661"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3"},{"fixed":"d4a895e924b486f2a38463114509e1088ef4d7f5"},{"fixed":"a31a647a3d1073a642c5bbe3457731fb353cb980"},{"fixed":"29a69fa075d0577eff1137426669de21187ec182"},{"fixed":"5b81f0c6c60e35bf8153230ddfb03ebb14e17986"},{"fixed":"a1140cb215fa13dcec06d12ba0c3ee105633b7c4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50661.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.9.0"},{"fixed":"5.10.180"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"fixed":"6.1.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50661.json"}}],"schema_version":"1.7.5"}