{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50652","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-08T23:57:43.371Z","datePublished":"2025-12-09T00:00:26.593Z","dateUpdated":"2026-05-11T19:22:59.294Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:22:59.294Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nuio: uio_dmem_genirq: Fix missing unlock in irq configuration\n\nCommit b74351287d4b (\"uio: fix a sleep-in-atomic-context bug in\nuio_dmem_genirq_irqcontrol()\") started calling disable_irq() without\nholding the spinlock because it can sleep. However, that fix introduced\nanother bug: if interrupt is already disabled and a new disable request\ncomes in, then the spinlock is not unlocked:\n\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' > /dev/uio0\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' > /dev/uio0\nroot@localhost:~# [   14.851538] BUG: scheduling while atomic: bash/223/0x00000002\n[   14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]\n[   14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G           OE      6.0.0-rc7 #21\n[   14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[   14.855664] Call Trace:\n[   14.855861]  <TASK>\n[   14.856025]  dump_stack_lvl+0x4d/0x67\n[   14.856325]  dump_stack+0x14/0x1a\n[   14.856583]  __schedule_bug.cold+0x4b/0x5c\n[   14.856915]  __schedule+0xe81/0x13d0\n[   14.857199]  ? idr_find+0x13/0x20\n[   14.857456]  ? get_work_pool+0x2d/0x50\n[   14.857756]  ? __flush_work+0x233/0x280\n[   14.858068]  ? __schedule+0xa95/0x13d0\n[   14.858307]  ? idr_find+0x13/0x20\n[   14.858519]  ? get_work_pool+0x2d/0x50\n[   14.858798]  schedule+0x6c/0x100\n[   14.859009]  schedule_hrtimeout_range_clock+0xff/0x110\n[   14.859335]  ? tty_write_room+0x1f/0x30\n[   14.859598]  ? n_tty_poll+0x1ec/0x220\n[   14.859830]  ? tty_ldisc_deref+0x1a/0x20\n[   14.860090]  schedule_hrtimeout_range+0x17/0x20\n[   14.860373]  do_select+0x596/0x840\n[   14.860627]  ? __kernel_text_address+0x16/0x50\n[   14.860954]  ? poll_freewait+0xb0/0xb0\n[   14.861235]  ? poll_freewait+0xb0/0xb0\n[   14.861517]  ? rpm_resume+0x49d/0x780\n[   14.861798]  ? common_interrupt+0x59/0xa0\n[   14.862127]  ? asm_common_interrupt+0x2b/0x40\n[   14.862511]  ? __uart_start.isra.0+0x61/0x70\n[   14.862902]  ? __check_object_size+0x61/0x280\n[   14.863255]  core_sys_select+0x1c6/0x400\n[   14.863575]  ? vfs_write+0x1c9/0x3d0\n[   14.863853]  ? vfs_write+0x1c9/0x3d0\n[   14.864121]  ? _copy_from_user+0x45/0x70\n[   14.864526]  do_pselect.constprop.0+0xb3/0xf0\n[   14.864893]  ? do_syscall_64+0x6d/0x90\n[   14.865228]  ? do_syscall_64+0x6d/0x90\n[   14.865556]  __x64_sys_pselect6+0x76/0xa0\n[   14.865906]  do_syscall_64+0x60/0x90\n[   14.866214]  ? syscall_exit_to_user_mode+0x2a/0x50\n[   14.866640]  ? do_syscall_64+0x6d/0x90\n[   14.866972]  ? do_syscall_64+0x6d/0x90\n[   14.867286]  ? do_syscall_64+0x6d/0x90\n[   14.867626]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...] stripped\n[   14.872959]  </TASK>\n\n('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)\n\nThe implementation of \"uio_dmem_genirq\" was based on \"uio_pdrv_genirq\" and\nit is used in a similar manner to the \"uio_pdrv_genirq\" driver with respect\nto interrupt configuration and handling. At the time \"uio_dmem_genirq\" was\nintroduced, both had the same implementation of the 'uio_info' handlers\nirqcontrol() and handler(). Then commit 34cb27528398 (\"UIO: Fix concurrency\nissue\"), which was only applied to \"uio_pdrv_genirq\", ended up making them\na little different. That commit, among other things, changed disable_irq()\nto disable_irq_nosync() in the implementation of irqcontrol(). The\nmotivation there was to avoid a deadlock between irqcontrol() and\nhandler(), since it added a spinlock in the irq handler, and disable_irq()\nwaits for the completion of the irq handler.\n\nBy changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also\navoid the sleeping-whil\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/uio/uio_dmem_genirq.c"],"versions":[{"version":"b77fa964ecb1d72a671234f5bea95b41f77c233a","lessThan":"9977cb7af5a8f4738198b020436e2e56c5cd721e","status":"affected","versionType":"git"},{"version":"0151b03f43f2d295a6949454434074b34a262e06","lessThan":"a323d24a0183be730d2398b11b3a91e5c2e222a0","status":"affected","versionType":"git"},{"version":"ea6b7b1d58790ffb36bace723f6e62a1c8595c77","lessThan":"ac5585bb06a2e82177269bee93e59887ce591106","status":"affected","versionType":"git"},{"version":"750a95d63746458e86c6d92dfad48a05c64d0ecd","lessThan":"eca77a25a7cb3201738f4b55b9b8fa1089d7d002","status":"affected","versionType":"git"},{"version":"b74351287d4bd90636c3f48bc188c2f53824c2d4","lessThan":"9bf7a0b2b15cd12e15f7858072bd89933746de67","status":"affected","versionType":"git"},{"version":"b74351287d4bd90636c3f48bc188c2f53824c2d4","lessThan":"79a4bdb6b9920134af1a4738a1fa36a0438cd905","status":"affected","versionType":"git"},{"version":"b74351287d4bd90636c3f48bc188c2f53824c2d4","lessThan":"030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d","status":"affected","versionType":"git"},{"version":"b74351287d4bd90636c3f48bc188c2f53824c2d4","lessThan":"ee180e867ce4b2f744799247b81050b3e5dd62cd","status":"affected","versionType":"git"},{"version":"b74351287d4bd90636c3f48bc188c2f53824c2d4","lessThan":"9de255c461d1b3f0242b3ad1450c3323a3e00b34","status":"affected","versionType":"git"},{"version":"4a117a1c581623d04bf09aa7455d8e7b66e8bb85","status":"affected","versionType":"git"},{"version":"1d52cd8b52876145b0f6344be95fc750e30d9ecb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/uio/uio_dmem_genirq.c"],"versions":[{"version":"5.6","status":"affected"},{"version":"0","lessThan":"5.6","status":"unaffected","versionType":"semver"},{"version":"4.9.337","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.86","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.2","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.215","versionEndExcluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.172","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.106","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.22","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.15.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.1.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.215"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e"},{"url":"https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0"},{"url":"https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106"},{"url":"https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002"},{"url":"https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67"},{"url":"https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905"},{"url":"https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d"},{"url":"https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd"},{"url":"https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34"}],"title":"uio: uio_dmem_genirq: Fix missing unlock in irq configuration","x_generator":{"engine":"bippy-1.2.0"}}}}