{"id":"CVE-2022-50563","summary":"dm thin: Fix UAF in run_timer_softirq()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n\u003csnip\u003e\n Call Trace:\n  \u003cIRQ\u003e\n  dump_stack_lvl+0x73/0x9f\n  print_report.cold+0x132/0xaa2\n  _raw_spin_lock_irqsave+0xcd/0x160\n  __run_timers+0x173/0x710\n  kasan_report+0xad/0x110\n  __run_timers+0x173/0x710\n  __asan_store8+0x9c/0x140\n  __run_timers+0x173/0x710\n  call_timer_fn+0x310/0x310\n  pvclock_clocksource_read+0xfa/0x250\n  kvm_clock_read+0x2c/0x70\n  kvm_clock_get_cycles+0xd/0x20\n  ktime_get+0x5c/0x110\n  lapic_next_event+0x38/0x50\n  clockevents_program_event+0xf1/0x1e0\n  run_timer_softirq+0x49/0x90\n  __do_softirq+0x16e/0x62c\n  __irq_exit_rcu+0x1fa/0x270\n  irq_exit_rcu+0x12/0x20\n  sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n        use                                  free\ndo_resume                           |\n  __find_device_hash_cell           |\n    dm_get                          |\n      atomic_inc(&md-\u003eholders)      |\n                                    | dm_destroy\n                                    |   __dm_destroy\n                                    |     if (!dm_suspended_md(md))\n                                    |     atomic_read(&md-\u003eholders)\n                                    |     msleep(1)\n  dm_resume                         |\n    __dm_resume                     |\n      dm_table_resume_targets       |\n        pool_resume                 |\n          do_waker  #add delay work |\n  dm_put                            |\n    atomic_dec(&md-\u003eholders)        |\n                                    |     dm_table_destroy\n                                    |       pool_dtr\n                                    |         __pool_dec\n                                    |           __pool_destroy\n                                    |             destroy_workqueue\n                                    |             kfree(pool) # free pool\n        time out\n__do_softirq\n  run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n  1. create thin-pool\n  2. dmsetup suspend pool\n  3. dmsetup resume pool\n  4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy().","modified":"2026-04-02T08:28:37.623679Z","published":"2025-10-22T13:23:22.080Z","related":["SUSE-SU-2025:4111-1","SUSE-SU-2025:4135-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4188-1","SUSE-SU-2025:4189-1","SUSE-SU-2025:4320-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50563.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395"},{"type":"WEB","url":"https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81"},{"type":"WEB","url":"https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50563.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50563"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5"},{"fixed":"7ee059d06a5d3c15465959e0472993e80fbe4e81"},{"fixed":"550a4fac7ecfee5bac6a0dd772456ca62fb72f46"},{"fixed":"e8b8e0d2bbf7d1172c4f435621418e29ee408d46"},{"fixed":"7ae6aa649394e1e7f6dafb55ce0d578c0572a280"},{"fixed":"34fe9c2251f19786a6689149a6212c6c0de1d63b"},{"fixed":"34cd15d83b7206188d440b29b68084fcafde9395"},{"fixed":"94e231c9d6f2648d2f1f68e7f476e050ee0a6159"},{"fixed":"d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"},{"fixed":"88430ebcbc0ec637b710b947738839848c20feff"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50563.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"4.9.337"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.14.303"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.270"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.229"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.87"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.18"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"fixed":"6.1.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50563.json"}}],"schema_version":"1.7.5"}