CVE-2022-50699
Unknown Unknown - Not Provided
Use-After-Sleep Bug in Linux Kernel SELinux convert_context() Function

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50699
EUVD
EUVD-2025-205182
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 5.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's SELinux component involves improper use of memory allocation flags in the convert_context() function. Specifically, convert_context() was using GFP_KERNEL (which can sleep) in a context where sleeping is not allowed (inside a spin_lock_irqsave critical section). This could cause a BUG warning due to a sleeping function being called from an invalid context. The fix involved adding a gfp_t argument to convert_context() to properly use GFP_KERNEL or GFP_ATOMIC depending on the caller, preventing sleeping in atomic contexts.


How can this vulnerability impact me? :

This vulnerability can cause kernel BUG warnings and potentially system instability or crashes because a sleeping function was called from an invalid atomic context. This can affect system reliability and may lead to unexpected behavior or denial of service in environments using SELinux on the Linux kernel.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by monitoring your system logs for the specific SELinux warning messages related to convert_context(), such as: 'SELinux: Converting 162 SID table entries...' and 'BUG: sleeping function called from invalid context'. Checking for these messages in the kernel logs (e.g., using 'dmesg' or 'journalctl') can help identify if the issue is occurring. For example, you can run commands like 'dmesg | grep SELinux' or 'journalctl -k | grep convert_context' to look for relevant warnings.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by properly handling GFP_KERNEL and GFP_ATOMIC flags in convert_context() and related functions. Until an update is applied, monitoring for the warning messages and avoiding workloads or operations that trigger the problematic code paths may reduce exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart