{"id":"CVE-2022-50652","summary":"uio: uio_dmem_genirq: Fix missing unlock in irq configuration","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nuio: uio_dmem_genirq: Fix missing unlock in irq configuration\n\nCommit b74351287d4b (\"uio: fix a sleep-in-atomic-context bug in\nuio_dmem_genirq_irqcontrol()\") started calling disable_irq() without\nholding the spinlock because it can sleep. However, that fix introduced\nanother bug: if interrupt is already disabled and a new disable request\ncomes in, then the spinlock is not unlocked:\n\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' \u003e /dev/uio0\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' \u003e /dev/uio0\nroot@localhost:~# [   14.851538] BUG: scheduling while atomic: bash/223/0x00000002\n[   14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]\n[   14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G           OE      6.0.0-rc7 #21\n[   14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[   14.855664] Call Trace:\n[   14.855861]  \u003cTASK\u003e\n[   14.856025]  dump_stack_lvl+0x4d/0x67\n[   14.856325]  dump_stack+0x14/0x1a\n[   14.856583]  __schedule_bug.cold+0x4b/0x5c\n[   14.856915]  __schedule+0xe81/0x13d0\n[   14.857199]  ? idr_find+0x13/0x20\n[   14.857456]  ? get_work_pool+0x2d/0x50\n[   14.857756]  ? __flush_work+0x233/0x280\n[   14.858068]  ? __schedule+0xa95/0x13d0\n[   14.858307]  ? idr_find+0x13/0x20\n[   14.858519]  ? get_work_pool+0x2d/0x50\n[   14.858798]  schedule+0x6c/0x100\n[   14.859009]  schedule_hrtimeout_range_clock+0xff/0x110\n[   14.859335]  ? tty_write_room+0x1f/0x30\n[   14.859598]  ? n_tty_poll+0x1ec/0x220\n[   14.859830]  ? tty_ldisc_deref+0x1a/0x20\n[   14.860090]  schedule_hrtimeout_range+0x17/0x20\n[   14.860373]  do_select+0x596/0x840\n[   14.860627]  ? __kernel_text_address+0x16/0x50\n[   14.860954]  ? poll_freewait+0xb0/0xb0\n[   14.861235]  ? poll_freewait+0xb0/0xb0\n[   14.861517]  ? rpm_resume+0x49d/0x780\n[   14.861798]  ? common_interrupt+0x59/0xa0\n[   14.862127]  ? asm_common_interrupt+0x2b/0x40\n[   14.862511]  ? __uart_start.isra.0+0x61/0x70\n[   14.862902]  ? __check_object_size+0x61/0x280\n[   14.863255]  core_sys_select+0x1c6/0x400\n[   14.863575]  ? vfs_write+0x1c9/0x3d0\n[   14.863853]  ? vfs_write+0x1c9/0x3d0\n[   14.864121]  ? _copy_from_user+0x45/0x70\n[   14.864526]  do_pselect.constprop.0+0xb3/0xf0\n[   14.864893]  ? do_syscall_64+0x6d/0x90\n[   14.865228]  ? do_syscall_64+0x6d/0x90\n[   14.865556]  __x64_sys_pselect6+0x76/0xa0\n[   14.865906]  do_syscall_64+0x60/0x90\n[   14.866214]  ? syscall_exit_to_user_mode+0x2a/0x50\n[   14.866640]  ? do_syscall_64+0x6d/0x90\n[   14.866972]  ? do_syscall_64+0x6d/0x90\n[   14.867286]  ? do_syscall_64+0x6d/0x90\n[   14.867626]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...] stripped\n[   14.872959]  \u003c/TASK\u003e\n\n('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)\n\nThe implementation of \"uio_dmem_genirq\" was based on \"uio_pdrv_genirq\" and\nit is used in a similar manner to the \"uio_pdrv_genirq\" driver with respect\nto interrupt configuration and handling. At the time \"uio_dmem_genirq\" was\nintroduced, both had the same implementation of the 'uio_info' handlers\nirqcontrol() and handler(). Then commit 34cb27528398 (\"UIO: Fix concurrency\nissue\"), which was only applied to \"uio_pdrv_genirq\", ended up making them\na little different. That commit, among other things, changed disable_irq()\nto disable_irq_nosync() in the implementation of irqcontrol(). The\nmotivation there was to avoid a deadlock between irqcontrol() and\nhandler(), since it added a spinlock in the irq handler, and disable_irq()\nwaits for the completion of the irq handler.\n\nBy changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also\navoid the sleeping-whil\n---truncated---","modified":"2026-04-02T08:28:41.383061Z","published":"2025-12-09T00:00:26.593Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50652.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50652.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50652"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b77fa964ecb1d72a671234f5bea95b41f77c233a"},{"fixed":"9977cb7af5a8f4738198b020436e2e56c5cd721e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0151b03f43f2d295a6949454434074b34a262e06"},{"fixed":"a323d24a0183be730d2398b11b3a91e5c2e222a0"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ea6b7b1d58790ffb36bace723f6e62a1c8595c77"},{"fixed":"ac5585bb06a2e82177269bee93e59887ce591106"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"750a95d63746458e86c6d92dfad48a05c64d0ecd"},{"fixed":"eca77a25a7cb3201738f4b55b9b8fa1089d7d002"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b74351287d4bd90636c3f48bc188c2f53824c2d4"},{"fixed":"9bf7a0b2b15cd12e15f7858072bd89933746de67"},{"fixed":"79a4bdb6b9920134af1a4738a1fa36a0438cd905"},{"fixed":"030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d"},{"fixed":"ee180e867ce4b2f744799247b81050b3e5dd62cd"},{"fixed":"9de255c461d1b3f0242b3ad1450c3323a3e00b34"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"4a117a1c581623d04bf09aa7455d8e7b66e8bb85"},{"last_affected":"1d52cd8b52876145b0f6344be95fc750e30d9ecb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50652.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.9.337"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.14.303"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.270"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.229"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.6.0"},{"fixed":"5.15.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"6.0.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50652.json"}}],"schema_version":"1.7.5"}