CVE-2022-50563— dm thin: Fix UAF in run_timer_softirq()
Affected Version Matrix 20
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 7ee059d06a5d3c15465959e0472993e80fbe4e81 | affected |
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 550a4fac7ecfee5bac6a0dd772456ca62fb72f46 | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< e8b8e0d2bbf7d1172c4f435621418e29ee408d46 | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 7ae6aa649394e1e7f6dafb55ce0d578c0572a280 | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 34fe9c2251f19786a6689149a6212c6c0de1d63b | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 34cd15d83b7206188d440b29b68084fcafde9395 | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< 94e231c9d6f2648d2f1f68e7f476e050ee0a6159 | affected | ||
991d9fa02da0dd1f843dc011376965e0c8c6c9b5< d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd | affected | ||
| … +12 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-50563
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
dm thin: Fix UAF in run_timer_softirq()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: dm thin: Fix UAF in run_timer_softirq() When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows: BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 One of the concurrency UAF can be shown as below: use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3 The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen. Therefore, cancelling timer again in __pool_destroy().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于dm_resume和dm_destroy并发执行时存在释放后重用问题,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-50563
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-50563
请登录查看更多情报信息。
Patches & Fixes for CVE-2022-50563 (8)
Same Patch Batch · Linux · 2025-10-22 · 67 CVEs total
| CVE-2023-53710 | wifi: mt76: mt7921: fix error code of return in mt7921_acpi_read | |
| CVE-2023-53729 | soc: qcom: qmi_encdec: Restrict string length in decode | |
| CVE-2023-53727 | net/sched: fq_pie: avoid stalls in fq_pie_timer() | |
| CVE-2023-53728 | posix-timers: Ensure timer ID search-loop limit is valid | |
| CVE-2023-53717 | wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() | |
| CVE-2023-53715 | wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex | |
| CVE-2023-53714 | drm/stm: ltdc: fix late dereference check | |
| CVE-2023-53713 | arm64: sme: Use STR P to clear FFR context field in streaming SVE mode | |
| CVE-2023-53712 | ARM: 9317/1: kexec: Make smp stop calls asynchronous | |
| CVE-2023-53711 | NFS: Fix a potential data corruption | |
| CVE-2023-53716 | net: fix skb leak in __skb_tstamp_tx() | |
| CVE-2023-53709 | ring-buffer: Handle race between rb_move_tail and rb_check_pages | |
| CVE-2023-53707 | drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1 | |
| CVE-2023-53708 | ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects | |
| CVE-2023-53705 | ipv6: Fix out-of-bounds access in ipv6_find_tlv() | |
| CVE-2023-53706 | mm/vmemmap/devdax: fix kernel crash when probing devdax devices | |
| CVE-2023-53704 | clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe() | |
| CVE-2023-53702 | s390/crypto: use vector instructions only if available for ChaCha20 | |
| CVE-2023-53703 | HID: amd_sfh: Fix for shift-out-of-bounds | |
| CVE-2023-53700 | media: max9286: Fix memleak in max9286_v4l2_register() |
Showing top 20 of 67 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
Same vendor: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
V. Comments for CVE-2022-50563
No comments yet