{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50563","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-22T13:20:23.759Z","datePublished":"2025-10-22T13:23:22.080Z","dateUpdated":"2026-05-11T19:21:50.626Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:21:50.626Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n<snip>\n Call Trace:\n  <IRQ>\n  dump_stack_lvl+0x73/0x9f\n  print_report.cold+0x132/0xaa2\n  _raw_spin_lock_irqsave+0xcd/0x160\n  __run_timers+0x173/0x710\n  kasan_report+0xad/0x110\n  __run_timers+0x173/0x710\n  __asan_store8+0x9c/0x140\n  __run_timers+0x173/0x710\n  call_timer_fn+0x310/0x310\n  pvclock_clocksource_read+0xfa/0x250\n  kvm_clock_read+0x2c/0x70\n  kvm_clock_get_cycles+0xd/0x20\n  ktime_get+0x5c/0x110\n  lapic_next_event+0x38/0x50\n  clockevents_program_event+0xf1/0x1e0\n  run_timer_softirq+0x49/0x90\n  __do_softirq+0x16e/0x62c\n  __irq_exit_rcu+0x1fa/0x270\n  irq_exit_rcu+0x12/0x20\n  sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n        use                                  free\ndo_resume                           |\n  __find_device_hash_cell           |\n    dm_get                          |\n      atomic_inc(&md->holders)      |\n                                    | dm_destroy\n                                    |   __dm_destroy\n                                    |     if (!dm_suspended_md(md))\n                                    |     atomic_read(&md->holders)\n                                    |     msleep(1)\n  dm_resume                         |\n    __dm_resume                     |\n      dm_table_resume_targets       |\n        pool_resume                 |\n          do_waker  #add delay work |\n  dm_put                            |\n    atomic_dec(&md->holders)        |\n                                    |     dm_table_destroy\n                                    |       pool_dtr\n                                    |         __pool_dec\n                                    |           __pool_destroy\n                                    |             destroy_workqueue\n                                    |             kfree(pool) # free pool\n        time out\n__do_softirq\n  run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n  1. create thin-pool\n  2. dmsetup suspend pool\n  3. dmsetup resume pool\n  4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm-thin.c"],"versions":[{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"7ee059d06a5d3c15465959e0472993e80fbe4e81","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"550a4fac7ecfee5bac6a0dd772456ca62fb72f46","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"e8b8e0d2bbf7d1172c4f435621418e29ee408d46","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"7ae6aa649394e1e7f6dafb55ce0d578c0572a280","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"34fe9c2251f19786a6689149a6212c6c0de1d63b","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"34cd15d83b7206188d440b29b68084fcafde9395","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"94e231c9d6f2648d2f1f68e7f476e050ee0a6159","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd","status":"affected","versionType":"git"},{"version":"991d9fa02da0dd1f843dc011376965e0c8c6c9b5","lessThan":"88430ebcbc0ec637b710b947738839848c20feff","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm-thin.c"],"versions":[{"version":"3.2","status":"affected"},{"version":"0","lessThan":"3.2","status":"unaffected","versionType":"semver"},{"version":"4.9.337","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.87","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.18","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.4","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"5.15.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.0.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.1.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81"},{"url":"https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46"},{"url":"https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46"},{"url":"https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280"},{"url":"https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b"},{"url":"https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395"},{"url":"https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159"},{"url":"https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"},{"url":"https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff"}],"title":"dm thin: Fix UAF in run_timer_softirq()","x_generator":{"engine":"bippy-1.2.0"}}}}