CVE-2022-50730 (GCVE-0-2022-50730)
Vulnerability from cvelistv5
Published
2025-12-24 12:22
Modified
2025-12-24 12:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: silence the warning when evicting inode with dioread_nolock
When evicting an inode with default dioread_nolock, it could be raced by
the unwritten extents converting kworker after writeback some new
allocated dirty blocks. It convert unwritten extents to written, the
extents could be merged to upper level and free extent blocks, so it
could mark the inode dirty again even this inode has been marked
I_FREEING. But the inode->i_io_list check and warning in
ext4_evict_inode() missing this corner case. Fortunately,
ext4_evict_inode() will wait all extents converting finished before this
check, so it will not lead to inode use-after-free problem, every thing
is OK besides this warning. The WARN_ON_ONCE was originally designed
for finding inode use-after-free issues in advance, but if we add
current dioread_nolock case in, it will become not quite useful, so fix
this warning by just remove this check.
======
WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227
ext4_evict_inode+0x875/0xc60
...
RIP: 0010:ext4_evict_inode+0x875/0xc60
...
Call Trace:
<TASK>
evict+0x11c/0x2b0
iput+0x236/0x3a0
do_unlinkat+0x1b4/0x490
__x64_sys_unlinkat+0x4c/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa933c1115b
======
rm kworker
ext4_end_io_end()
vfs_unlink()
ext4_unlink()
ext4_convert_unwritten_io_end_vec()
ext4_convert_unwritten_extents()
ext4_map_blocks()
ext4_ext_map_blocks()
ext4_ext_try_to_merge_up()
__mark_inode_dirty()
check !I_FREEING
locked_inode_to_wb_and_lock_list()
iput()
iput_final()
evict()
ext4_evict_inode()
truncate_inode_pages_final() //wait release io_end
inode_io_list_move_locked()
ext4_release_io_end()
trigger WARN_ON_ONCE()
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdc698ce91f232fd5eb11d2373e9f82f687314b8",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "0d041b7251c13679a0f6c7926751ce1d8a7237c1",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "3b893cc9a8d8b4e486a6639f5e107b56b7197d2e",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "b085fb43feede48ebf80ab7e2dd150c8d9902932",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "bc12ac98ea2e1b70adc6478c8b473a0003b659d3",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode-\u003ei_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n \u003cTASK\u003e\n evict+0x11c/0x2b0\n iput+0x236/0x3a0\n do_unlinkat+0x1b4/0x490\n __x64_sys_unlinkat+0x4c/0xb0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm kworker\n ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n ext4_convert_unwritten_io_end_vec()\n ext4_convert_unwritten_extents()\n ext4_map_blocks()\n ext4_ext_map_blocks()\n ext4_ext_try_to_merge_up()\n __mark_inode_dirty()\n check !I_FREEING\n locked_inode_to_wb_and_lock_list()\n iput()\n iput_final()\n evict()\n ext4_evict_inode()\n truncate_inode_pages_final() //wait release io_end\n inode_io_list_move_locked()\n ext4_release_io_end()\n trigger WARN_ON_ONCE()"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:50.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8"
},
{
"url": "https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1"
},
{
"url": "https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e"
},
{
"url": "https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932"
},
{
"url": "https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3"
}
],
"title": "ext4: silence the warning when evicting inode with dioread_nolock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50730",
"datePublished": "2025-12-24T12:22:50.416Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:50.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50730\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:15:59.667\",\"lastModified\":\"2025-12-24T13:15:59.667\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: silence the warning when evicting inode with dioread_nolock\\n\\nWhen evicting an inode with default dioread_nolock, it could be raced by\\nthe unwritten extents converting kworker after writeback some new\\nallocated dirty blocks. It convert unwritten extents to written, the\\nextents could be merged to upper level and free extent blocks, so it\\ncould mark the inode dirty again even this inode has been marked\\nI_FREEING. But the inode-\u003ei_io_list check and warning in\\next4_evict_inode() missing this corner case. Fortunately,\\next4_evict_inode() will wait all extents converting finished before this\\ncheck, so it will not lead to inode use-after-free problem, every thing\\nis OK besides this warning. The WARN_ON_ONCE was originally designed\\nfor finding inode use-after-free issues in advance, but if we add\\ncurrent dioread_nolock case in, it will become not quite useful, so fix\\nthis warning by just remove this check.\\n\\n ======\\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\\n ext4_evict_inode+0x875/0xc60\\n ...\\n RIP: 0010:ext4_evict_inode+0x875/0xc60\\n ...\\n Call Trace:\\n \u003cTASK\u003e\\n evict+0x11c/0x2b0\\n iput+0x236/0x3a0\\n do_unlinkat+0x1b4/0x490\\n __x64_sys_unlinkat+0x4c/0xb0\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n RIP: 0033:0x7fa933c1115b\\n ======\\n\\nrm kworker\\n ext4_end_io_end()\\nvfs_unlink()\\n ext4_unlink()\\n ext4_convert_unwritten_io_end_vec()\\n ext4_convert_unwritten_extents()\\n ext4_map_blocks()\\n ext4_ext_map_blocks()\\n ext4_ext_try_to_merge_up()\\n __mark_inode_dirty()\\n check !I_FREEING\\n locked_inode_to_wb_and_lock_list()\\n iput()\\n iput_final()\\n evict()\\n ext4_evict_inode()\\n truncate_inode_pages_final() //wait release io_end\\n inode_io_list_move_locked()\\n ext4_release_io_end()\\n trigger WARN_ON_ONCE()\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…