CVE-2022-49706

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49706
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49706.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49706
Downstream
Published
2025-02-26T02:24:24.760Z
Modified
2026-03-20T11:47:08.641157Z
Summary
zonefs: fix zonefs_iomap_begin() for reads
Details

In the Linux kernel, the following vulnerability has been resolved:

zonefs: fix zonefsiomapbegin() for reads

If a readahead is issued to a sequential zone file with an offset exactly equal to the current file size, the iomap type is set to IOMAPUNWRITTEN, which will prevent an IO, but the iomap length is calculated as 0. This causes a WARNON() in iomap_iter():

[17309.548939] WARNING: CPU: 3 PID: 2137 at fs/iomap/iter.c:34 iomapiter+0x9cf/0xe80 [...] [17309.650907] RIP: 0010:iomapiter+0x9cf/0xe80 [...] [17309.754560] Call Trace: [17309.757078] <TASK> [17309.759240] ? lockisheldtype+0xd8/0x130 [17309.763531] iomapreadahead+0x1a8/0x870 [17309.767550] ? iomapreadfolio+0x4c0/0x4c0 [17309.771817] ? lockdephardirqsonprepare+0x400/0x400 [17309.778848] ? lockrelease+0x370/0x750 [17309.784462] ? folioaddlru+0x217/0x3f0 [17309.790220] ? reacquireheldlocks+0x4e0/0x4e0 [17309.796543] readpages+0x17d/0xb60 [17309.801854] ? folioaddlru+0x238/0x3f0 [17309.807573] ? readaheadexpand+0x5f0/0x5f0 [17309.813554] ? policynode+0xb5/0x140 [17309.819018] pagecacheraunbounded+0x27d/0x450 [17309.825439] filemapgetpages+0x500/0x1450 [17309.831444] ? filemapaddfolio+0x140/0x140 [17309.837519] ? lockisheldtype+0xd8/0x130 [17309.843509] filemapread+0x28c/0x9f0 [17309.848953] ? zonefsfilereaditer+0x1ea/0x4d0 [zonefs] [17309.856162] ? tracecontention_end+0xd6/0x130 [17309.862416] ? __mutexlock+0x221/0x1480 [17309.868151] ? zonefsfilereaditer+0x166/0x4d0 [zonefs] [17309.875364] ? filemapgetpages+0x1450/0x1450 [17309.881647] ? __mutexunlockslowpath+0x15e/0x620 [17309.888248] ? wait_forcompletioniotimeout+0x20/0x20 [17309.895231] ? lockisheldtype+0xd8/0x130 [17309.901115] ? lockisheldtype+0xd8/0x130 [17309.906934] zonefsfilereaditer+0x356/0x4d0 [zonefs] [17309.913750] newsyncread+0x2d8/0x520 [17309.919035] ? __x64syslseek+0x1d0/0x1d0

Furthermore, this causes iomapreadahead() to loop forever as iomapreadahead_iter() always returns 0, making no progress.

Fix this by treating reads after the file size as access to holes, setting the iomap type to IOMAPHOLE, the iomap addr to IOMAPNULLADDR and using the length argument as is for the iomap length. To simplify the code with this change, zonefsiomapbegin() is split into the read variant, zonefsreadiomapbegin() and zonefsreadiomapops, and the write variant, zonefswriteiomapbegin() and zonefswriteiomap_ops.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49706.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8dcc1a9d90c10fa4143e5c17821082e5e60e46a1
Fixed
355be6131164c5bacf2e810763835aecb6e01fcb
Fixed
c2f71b9bb398e2e573bdc2574149f42b45efe410
Fixed
3a7f05f104347b407e865c10be2675cd833a4e48
Fixed
c1c1204c0d0c1dccc1310b9277fb2bd8b663d8fe

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49706.json"