VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2022-50654

CVE-2022-50654

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix panic due to wrong pageattr of im->image

In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampoline in bpf_trampoline_update, and then modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag will be configured, and arch_prepare_bpf_trampoline will be re-executed.

At this time, because the pageattr of im->image is rox, arch_prepare_bpf_trampoline will read and write im->image, which causes a fault. as follows:

insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c bpftrace -e 'kretfunc:cmdline_proc_show {}'

BUG: unable to handle page fault for address: ffffffffa0206000 PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5 RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0 RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202 RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030 RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400 R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8 R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10 FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

bpf_trampoline_update+0x25a/0x6b0 __bpf_trampoline_link_prog+0x101/0x240 bpf_trampoline_link_prog+0x2d/0x50 bpf_tracing_prog_attach+0x24c/0x530 bpf_raw_tp_link_attach+0x73/0x1d0 __sys_bpf+0x100e/0x2570 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x5b/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

With this patch, when modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset to nx+rw.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's BPF trampoline can cause a kernel panic when livepatch and kretfunc coexist, due to incorrect page permissions.

Vulnerability

Overview

In the Linux kernel, a vulnerability exists in the BPF trampoline update path where the page attributes of the trampoline image (im->image) are set to read-only-execute (ROX) after arch_prepare_bpf_trampoline completes. If modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag is reconfigured, triggering a re-execution of arch_prepare_bpf_trampoline. At this point, the image memory is already marked ROX, causing a page fault when the function attempts to write to it [1].

Exploitation

Conditions

This issue is triggered when livepatch and kretfunc (a BPF program type for tracing function returns) are used concurrently. The attacker must be able to load a livepatch module and attach a BPF kretfunc program, which typically requires root privileges or CAP_BPF and CAP_SYS_ADMIN. The race condition occurs during the trampoline update sequence, leading to a kernel panic (oops) as shown in the provided call trace [1].

Impact

A successful trigger of this vulnerability results in a kernel panic, causing a denial of service (DoS) on the affected system. The crash is reproducible with the described steps: loading a livepatch sample and then attaching a kretfunc BPF program. The panic manifests as an unhandled page fault at the trampoline image address, with the CPU attempting to write to read-only memory [1].

Mitigation

The fix, introduced in Linux kernel stable commit 7f656fff955c, ensures that the page attributes of the trampoline image are properly handled during the update process, preventing the write to ROX memory. Users should apply the latest kernel updates from their distribution to remediate this issue. No workaround is available other than avoiding the simultaneous use of livepatch and kretfunc until the patch is applied [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
d9d383cbf812
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
7f656fff955c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9ed1d9aeef58
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.