CVE-2022-50563

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50563
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50563.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50563
Downstream
Related
Published
2025-10-22T13:23:22.080Z
Modified
2026-03-20T11:47:31.668424Z
Summary
dm thin: Fix UAF in run_timer_softirq()
Details

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix UAF in runtimersoftirq()

When dmresume() and dmdestroy() are concurrent, it will lead to UAF, as follows:

BUG: KASAN: use-after-free in __runtimers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dumpstacklvl+0x73/0x9f printreport.cold+0x132/0xaa2 rawspinlockirqsave+0xcd/0x160 __runtimers+0x173/0x710 kasanreport+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __runtimers+0x173/0x710 calltimerfn+0x310/0x310 pvclockclocksourceread+0xfa/0x250 kvmclockread+0x2c/0x70 kvmclock_getcycles+0xd/0x20 ktimeget+0x5c/0x110 lapicnextevent+0x38/0x50 clockeventsprogramevent+0xf1/0x1e0 runtimersoftirq+0x49/0x90 __do_softirq+0x16e/0x62c _irqexitrcu+0x1fa/0x270 irqexitrcu+0x12/0x20 sysvecapictimerinterrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

    use                                  free

do_resume | __finddevicehashcell | dmget | atomicinc(&md->holders) | | dmdestroy | __dmdestroy | if (!dmsuspended_md(md)) | atomicread(&md->holders) | msleep(1) dmresume | __dmresume | dmtable_resumetargets | poolresume | dowaker #add delay work | dmput | atomicdec(&md->holders) | | dmtabledestroy | pooldtr | __pool_dec | __pooldestroy | destroyworkqueue | kfree(pool) # free pool time out _dosoftirq runtimersoftirq # pool has already been freed

This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dmresume() adds timer after dmdestroy() skips cancelling the timer because of suspend status. After timeout, it will call runtimersoftirq(), however pool has already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in _pooldestroy().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50563.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Fixed
7ee059d06a5d3c15465959e0472993e80fbe4e81
Fixed
550a4fac7ecfee5bac6a0dd772456ca62fb72f46
Fixed
e8b8e0d2bbf7d1172c4f435621418e29ee408d46
Fixed
7ae6aa649394e1e7f6dafb55ce0d578c0572a280
Fixed
34fe9c2251f19786a6689149a6212c6c0de1d63b
Fixed
34cd15d83b7206188d440b29b68084fcafde9395
Fixed
94e231c9d6f2648d2f1f68e7f476e050ee0a6159
Fixed
d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
Fixed
88430ebcbc0ec637b710b947738839848c20feff

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50563.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
4.9.337
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.303
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.270
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.229
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.163
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.87
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.18
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50563.json"