2396400 – (CVE-2022-50376) CVE-2022-50376 kernel: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()

Bug 2396400 (CVE-2022-50376) - CVE-2022-50376 kernel: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()

Summary: CVE-2022-50376 kernel: orangefs: Fix kmemleak in orangefs_{kernel,client}_deb...

Keywords:
Status:	NEW
Alias:	CVE-2022-50376
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-18 14:02 UTC by OSIDB Bzimport
Modified:	2025-11-26 10:46 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-18 14:02:49 UTC

In the Linux kernel, the following vulnerability has been resolved:

orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()

When insert and remove the orangefs module, there are memory leaked
as below:

unreferenced object 0xffff88816b0cc000 (size 2048):
  comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)
  hex dump (first 32 bytes):
    6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00  none............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000031ab7788>] kmalloc_trace+0x27/0xa0
    [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f
    [<00000000e5a0085b>] 0xffffffffa02780f9
    [<000000004232d9f7>] do_one_initcall+0x87/0x2a0
    [<0000000054f22384>] do_init_module+0xdf/0x320
    [<000000003263bdea>] load_module+0x2f98/0x3330
    [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
    [<00000000250ae02b>] do_syscall_64+0x35/0x80
    [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

Use the golbal variable as the buffer rather than dynamic allocate to
slove the problem.

Comment 1 Keith Grant 2025-09-18 15:00:30 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091850-CVE-2022-50376-1398@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.