VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50699

CVE-2022-50699

Description

In the Linux kernel, the following vulnerability has been resolved:

selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()

The following warning was triggered on a hardware environment:

SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped).

It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic.

As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers.

[PM: wrap long BUG() output lines, tweak subject line]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A sleeping function call inside an atomic context in SELinux's convert_context() can trigger a kernel BUG and SID mapping failure.

Overview

CVE-2022-50699 is a kernel bug in the SELinux subsystem where convert_context() could allocate memory with GFP_KERNEL while holding a spinlock (spin_lock_irqsave), causing a "sleeping function called from invalid context" splat. This was observed during a security context conversion triggered by file operations (e.g., tar), leading to invalid SID mappings [description].

Exploitation

Context

The bug occurs in the call path: sidtab_context_to_sid()convert_context()kstrdup()__kmalloc_track_caller() with GFP_KERNEL. Because sidtab_context_to_sid() disables interrupts via spin_lock_irqsave, an atomic context is created where sleeping (via GFP_KERNEL) is forbidden. An attacker can trigger this by causing filesystem lookups that force SELinux to convert SIDs via extended attributes (xattrs) [description].

Impact

When the kernel attempts to allocate memory with GFP_KERNEL in the atomic section, a BUG is triggered, crashing the system or leaving contexts unmapped. In the observed case, a tar process caused the system to log "Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid", indicating SID conversion failure and potentially incorrect security labels [description].

Mitigation

The fix modifies convert_context() to accept a gfp_t parameter, allowing it to use GFP_ATOMIC when called from atomic contexts (e.g., sidtab_context_to_sid()), and GFP_KERNEL when called from non-atomic contexts (e.g., sidtab_convert_tree()). This change was backported to stable kernels; users should apply the relevant patches from the upstream commits [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Linux/Kernelllm-fuzzy
    Range: <=5.10.0 (affects with SELinux enabled, fix backported to multiple stable trees)

Patches

4
2723875e9d67
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3006766d247b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
277378631d26
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
abe3c631447d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.