CVE-2022-50563 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix UAF in run_timer_softirq()

When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:

BUG: KASAN: use-after-free in __run_timers+0x173/0x710
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
Call Trace:
<IRQ>
dump_stack_lvl+0x73/0x9f
print_report.cold+0x132/0xaa2
_raw_spin_lock_irqsave+0xcd/0x160
__run_timers+0x173/0x710
kasan_report+0xad/0x110
__run_timers+0x173/0x710
__asan_store8+0x9c/0x140
__run_timers+0x173/0x710
call_timer_fn+0x310/0x310
pvclock_clocksource_read+0xfa/0x250
kvm_clock_read+0x2c/0x70
kvm_clock_get_cycles+0xd/0x20
ktime_get+0x5c/0x110
lapic_next_event+0x38/0x50
clockevents_program_event+0xf1/0x1e0
run_timer_softirq+0x49/0x90
__do_softirq+0x16e/0x62c
__irq_exit_rcu+0x1fa/0x270
irq_exit_rcu+0x12/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

use free
do_resume |
__find_device_hash_cell |
dm_get |
atomic_inc(&md->holders) |
| dm_destroy
| __dm_destroy
| if (!dm_suspended_md(md))
| atomic_read(&md->holders)
| msleep(1)
dm_resume |
__dm_resume |
dm_table_resume_targets |
pool_resume |
do_waker #add delay work |
dm_put |
atomic_dec(&md->holders) |
| dm_table_destroy
| pool_dtr
| __pool_dec
| __pool_destroy
| destroy_workqueue
| kfree(pool) # free pool
time out
__do_softirq
run_timer_softirq # pool has already been freed

This can be easily reproduced using:
1. create thin-pool
2. dmsetup suspend pool
3. dmsetup resume pool
4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in __pool_destroy().

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395
https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b
https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46
https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280
https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81
https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff
https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159
https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46
https://lore.kernel.org/linux-cve-announce/2025102207-CVE-2022-50563-995f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-50563
https://www.cve.org/CVERecord?id=CVE-2022-50563

History

Thu, 23 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025102207-CVE-2022-50563-995f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2022-50563 https://www.cve.org/CVERecord?id=CVE-2022-50563
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 22 Oct 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm thin: Fix UAF in run_timer_softirq() When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows: BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 One of the concurrency UAF can be shown as below: use free do_resume \| __find_device_hash_cell \| dm_get \| atomic_inc(&md->holders) \| \| dm_destroy \| __dm_destroy \| if (!dm_suspended_md(md)) \| atomic_read(&md->holders) \| msleep(1) dm_resume \| __dm_resume \| dm_table_resume_targets \| pool_resume \| do_waker #add delay work \| dm_put \| atomic_dec(&md->holders) \| \| dm_table_destroy \| pool_dtr \| __pool_dec \| __pool_destroy \| destroy_workqueue \| kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3 The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen. Therefore, cancelling timer again in __pool_destroy().
Title		dm thin: Fix UAF in run_timer_softirq()
References		https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395 https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46 https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280 https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81 https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159 https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-10-22T13:23:22.080Z

Updated: 2025-10-22T13:23:22.080Z

Reserved: 2025-10-22T13:20:23.759Z

Link: CVE-2022-50563

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-10-22T14:15:41.067

Modified: 2025-10-22T21:12:48.953

Link: CVE-2022-50563

Redhat

Severity : Important

Publid Date: 2025-10-22T00:00:00Z

Links: CVE-2022-50563 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object