CVE-2022-49706
- Source
- https://cve.org/CVERecord?id=CVE-2022-49706
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49706.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49706
- Downstream
- Published
- 2025-02-26T02:24:24.760Z
- Modified
- 2025-11-29T00:28:57.811003Z
- Summary
- zonefs: fix zonefs_iomap_begin() for reads
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
zonefs: fix zonefsiomapbegin() for reads
If a readahead is issued to a sequential zone file with an offset exactly equal to the current file size, the iomap type is set to IOMAPUNWRITTEN, which will prevent an IO, but the iomap length is calculated as 0. This causes a WARNON() in iomap_iter():
[17309.548939] WARNING: CPU: 3 PID: 2137 at fs/iomap/iter.c:34 iomapiter+0x9cf/0xe80 [...] [17309.650907] RIP: 0010:iomapiter+0x9cf/0xe80 [...] [17309.754560] Call Trace: [17309.757078] <TASK> [17309.759240] ? lockisheldtype+0xd8/0x130 [17309.763531] iomapreadahead+0x1a8/0x870 [17309.767550] ? iomapreadfolio+0x4c0/0x4c0 [17309.771817] ? lockdephardirqsonprepare+0x400/0x400 [17309.778848] ? lockrelease+0x370/0x750 [17309.784462] ? folioaddlru+0x217/0x3f0 [17309.790220] ? reacquireheldlocks+0x4e0/0x4e0 [17309.796543] readpages+0x17d/0xb60 [17309.801854] ? folioaddlru+0x238/0x3f0 [17309.807573] ? readaheadexpand+0x5f0/0x5f0 [17309.813554] ? policynode+0xb5/0x140 [17309.819018] pagecacheraunbounded+0x27d/0x450 [17309.825439] filemapgetpages+0x500/0x1450 [17309.831444] ? filemapaddfolio+0x140/0x140 [17309.837519] ? lockisheldtype+0xd8/0x130 [17309.843509] filemapread+0x28c/0x9f0 [17309.848953] ? zonefsfilereaditer+0x1ea/0x4d0 [zonefs] [17309.856162] ? tracecontentionend+0xd6/0x130 [17309.862416] ? _mutexlock+0x221/0x1480 [17309.868151] ? zonefsfilereaditer+0x166/0x4d0 [zonefs] [17309.875364] ? filemapgetpages+0x1450/0x1450 [17309.881647] ? _mutexunlockslowpath+0x15e/0x620 [17309.888248] ? waitforcompletioniotimeout+0x20/0x20 [17309.895231] ? lockisheldtype+0xd8/0x130 [17309.901115] ? lockisheldtype+0xd8/0x130 [17309.906934] zonefsfilereaditer+0x356/0x4d0 [zonefs] [17309.913750] newsyncread+0x2d8/0x520 [17309.919035] ? _x64sys_lseek+0x1d0/0x1d0
Furthermore, this causes iomapreadahead() to loop forever as iomapreadahead_iter() always returns 0, making no progress.
Fix this by treating reads after the file size as access to holes, setting the iomap type to IOMAPHOLE, the iomap addr to IOMAPNULLADDR and using the length argument as is for the iomap length. To simplify the code with this change, zonefsiomapbegin() is split into the read variant, zonefsreadiomapbegin() and zonefsreadiomapops, and the write variant, zonefswriteiomapbegin() and zonefswriteiomap_ops.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49706.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/355be6131164c5bacf2e810763835aecb6e01fcb
- https://git.kernel.org/stable/c/3a7f05f104347b407e865c10be2675cd833a4e48
- https://git.kernel.org/stable/c/c1c1204c0d0c1dccc1310b9277fb2bd8b663d8fe
- https://git.kernel.org/stable/c/c2f71b9bb398e2e573bdc2574149f42b45efe410
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49706.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49706
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8dcc1a9d90c10fa4143e5c17821082e5e60e46a1Fixed355be6131164c5bacf2e810763835aecb6e01fcbFixedc2f71b9bb398e2e573bdc2574149f42b45efe410Fixed3a7f05f104347b407e865c10be2675cd833a4e48Fixedc1c1204c0d0c1dccc1310b9277fb2bd8b663d8fe