VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2022-50563

CVE-2022-50563

Description

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix UAF in run_timer_softirq()

When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows:

BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0

Call Trace:

dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed

This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in __pool_destroy().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's dm-thin target occurs when dm_resume and dm_destroy race, leading to a write in __run_timers.

Vulnerability

CVE-2022-50563 is a use-after-free vulnerability in the Linux kernel's device-mapper thin provisioning (dm-thin) target. The root cause is a race condition between dm_resume() and dm_destroy() operations. When these two code paths execute concurrently, a workqueue timer (do_waker) can be armed during resume but later executed after its associated pool metadata structures have been freed during destroy. This results in a write to freed memory, observed as a KASAN use-after-free report in __run_timers during softirq processing [1][2].

Exploitation

An attacker would need the ability to trigger concurrent dm_resume (requiring sufficient privileges to manipulate device-mapper devices) and dm_destroy calls on the same DM device. The attack surface is limited to local users with enough access to control device-mapper thin provisioning targets. No authentication is required beyond standard system access; the race window is narrow but exploitable if an attacker can precisely time the two operations.

Impact

Successful exploitation allows an attacker to write controlled data to freed kernel memory, which can lead to arbitrary code execution in kernel context. Because the vulnerability occurs in a timer softirq handler, the attacker gains the ability to corrupt timer list data structures, potentially enabling privilege escalation or denial of service.

Mitigation

The Linux kernel stable tree has backported the fix across multiple versions [1][2][3][4]. The patch addresses the race by ensuring the workqueue is properly canceled or drained before the pool is torn down. System administrators should apply the relevant kernel update as soon as possible.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

9
7ee059d06a5d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
550a4fac7ecf
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e8b8e0d2bbf7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
7ae6aa649394
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
34fe9c2251f1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
34cd15d83b72
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
94e231c9d6f2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d9971fa4d8bd
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
88430ebcbc0e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.