github - ghsa-2rmr-vqgp-f8jv

ghsa-2rmr-vqgp-f8jv

Vulnerability from github

Published

2025-10-07 18:31

Modified

2025-10-07 18:31

Details

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata

Following concurrent processes:

      P1(drop cache)                P2(kworker)

drop_caches_sysctl_handler drop_slab shrink_slab down_read(&shrinker_rwsem) - LOCK A do_shrink_slab super_cache_scan prune_icache_sb dispose_list evict ext4_evict_inode ext4_clear_inode ext4_discard_preallocations ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_read_bh_nowait submit_bh dm_submit_bio do_worker process_deferred_bios commit metadata_operation_failed dm_pool_abort_metadata down_write(&pmd->root_lock) - LOCK B __destroy_persistent_data_objects dm_block_manager_destroy dm_bufio_client_destroy unregister_shrinker down_write(&shrinker_rwsem) thin_map | dm_thin_find_block ↓ down_read(&pmd->root_lock) --> ABBA deadlock

, which triggers hung task:

[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds. [ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2 [ 76.978534] Workqueue: dm-thin do_worker [ 76.978552] Call Trace: [ 76.978564] __schedule+0x6ba/0x10f0 [ 76.978582] schedule+0x9d/0x1e0 [ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0 [ 76.978600] down_write+0xec/0x110 [ 76.978607] unregister_shrinker+0x2c/0xf0 [ 76.978616] dm_bufio_client_destroy+0x116/0x3d0 [ 76.978625] dm_block_manager_destroy+0x19/0x40 [ 76.978629] __destroy_persistent_data_objects+0x5e/0x70 [ 76.978636] dm_pool_abort_metadata+0x8e/0x100 [ 76.978643] metadata_operation_failed+0x86/0x110 [ 76.978649] commit+0x6a/0x230 [ 76.978655] do_worker+0xc6e/0xd90 [ 76.978702] process_one_work+0x269/0x630 [ 76.978714] worker_thread+0x266/0x630 [ 76.978730] kthread+0x151/0x1b0 [ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds. [ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459 [ 76.982128] Call Trace: [ 76.982139] __schedule+0x6ba/0x10f0 [ 76.982155] schedule+0x9d/0x1e0 [ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910 [ 76.982173] down_read+0x84/0x170 [ 76.982177] dm_thin_find_block+0x4c/0xd0 [ 76.982183] thin_map+0x201/0x3d0 [ 76.982188] __map_bio+0x5b/0x350 [ 76.982195] dm_submit_bio+0x2b6/0x930 [ 76.982202] __submit_bio+0x123/0x2d0 [ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0 [ 76.982222] submit_bio_noacct+0x389/0x770 [ 76.982227] submit_bio+0x50/0xc0 [ 76.982232] submit_bh_wbc+0x15e/0x230 [ 76.982238] submit_bh+0x14/0x20 [ 76.982241] ext4_read_bh_nowait+0xc5/0x130 [ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60 [ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0 [ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0 [ 76.982263] ext4_discard_preallocations+0x45d/0x830 [ 76.982274] ext4_clear_inode+0x48/0xf0 [ 76.982280] ext4_evict_inode+0xcf/0xc70 [ 76.982285] evict+0x119/0x2b0 [ 76.982290] dispose_list+0x43/0xa0 [ 76.982294] prune_icache_sb+0x64/0x90 [ 76.982298] super_cache_scan+0x155/0x210 [ 76.982303] do_shrink_slab+0x19e/0x4e0 [ 76.982310] shrink_slab+0x2bd/0x450 [ 76.982317] drop_slab+0xcc/0x1a0 [ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0 [ 76.982327] proc_sys_call_handler+0x1bc/0x300 [ 76.982331] proc_sys_write+0x17/0x20 [ 76.982334] vfs_write+0x3d3/0x570 [ 76.982342] ksys_write+0x73/0x160 [ 76.982347] __x64_sys_write+0x1e/0x30 [ 76.982352] do_syscall_64+0x35/0x80 [ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Funct ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50549"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:39Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata\n\nFollowing concurrent processes:\n\n          P1(drop cache)                P2(kworker)\ndrop_caches_sysctl_handler\n drop_slab\n  shrink_slab\n   down_read(\u0026shrinker_rwsem)  - LOCK A\n   do_shrink_slab\n    super_cache_scan\n     prune_icache_sb\n      dispose_list\n       evict\n        ext4_evict_inode\n\t ext4_clear_inode\n\t  ext4_discard_preallocations\n\t   ext4_mb_load_buddy_gfp\n\t    ext4_mb_init_cache\n\t     ext4_read_block_bitmap_nowait\n\t      ext4_read_bh_nowait\n\t       submit_bh\n\t        dm_submit_bio\n\t\t                 do_worker\n\t\t\t\t  process_deferred_bios\n\t\t\t\t   commit\n\t\t\t\t    metadata_operation_failed\n\t\t\t\t     dm_pool_abort_metadata\n\t\t\t\t      down_write(\u0026pmd-\u003eroot_lock) - LOCK B\n\t\t                      __destroy_persistent_data_objects\n\t\t\t\t       dm_block_manager_destroy\n\t\t\t\t        dm_bufio_client_destroy\n\t\t\t\t         unregister_shrinker\n\t\t\t\t\t  down_write(\u0026shrinker_rwsem)\n\t\t thin_map                            |\n\t\t  dm_thin_find_block                 \u2193\n\t\t   down_read(\u0026pmd-\u003eroot_lock) --\u003e ABBA deadlock\n\n, which triggers hung task:\n\n[   76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.\n[   76.976019]       Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[   76.978521] task:kworker/u4:3    state:D stack:0     pid:63    ppid:2\n[   76.978534] Workqueue: dm-thin do_worker\n[   76.978552] Call Trace:\n[   76.978564]  __schedule+0x6ba/0x10f0\n[   76.978582]  schedule+0x9d/0x1e0\n[   76.978588]  rwsem_down_write_slowpath+0x587/0xdf0\n[   76.978600]  down_write+0xec/0x110\n[   76.978607]  unregister_shrinker+0x2c/0xf0\n[   76.978616]  dm_bufio_client_destroy+0x116/0x3d0\n[   76.978625]  dm_block_manager_destroy+0x19/0x40\n[   76.978629]  __destroy_persistent_data_objects+0x5e/0x70\n[   76.978636]  dm_pool_abort_metadata+0x8e/0x100\n[   76.978643]  metadata_operation_failed+0x86/0x110\n[   76.978649]  commit+0x6a/0x230\n[   76.978655]  do_worker+0xc6e/0xd90\n[   76.978702]  process_one_work+0x269/0x630\n[   76.978714]  worker_thread+0x266/0x630\n[   76.978730]  kthread+0x151/0x1b0\n[   76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.\n[   76.979756]       Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[   76.982111] task:test.sh         state:D stack:0     pid:2646  ppid:2459\n[   76.982128] Call Trace:\n[   76.982139]  __schedule+0x6ba/0x10f0\n[   76.982155]  schedule+0x9d/0x1e0\n[   76.982159]  rwsem_down_read_slowpath+0x4f4/0x910\n[   76.982173]  down_read+0x84/0x170\n[   76.982177]  dm_thin_find_block+0x4c/0xd0\n[   76.982183]  thin_map+0x201/0x3d0\n[   76.982188]  __map_bio+0x5b/0x350\n[   76.982195]  dm_submit_bio+0x2b6/0x930\n[   76.982202]  __submit_bio+0x123/0x2d0\n[   76.982209]  submit_bio_noacct_nocheck+0x101/0x3e0\n[   76.982222]  submit_bio_noacct+0x389/0x770\n[   76.982227]  submit_bio+0x50/0xc0\n[   76.982232]  submit_bh_wbc+0x15e/0x230\n[   76.982238]  submit_bh+0x14/0x20\n[   76.982241]  ext4_read_bh_nowait+0xc5/0x130\n[   76.982247]  ext4_read_block_bitmap_nowait+0x340/0xc60\n[   76.982254]  ext4_mb_init_cache+0x1ce/0xdc0\n[   76.982259]  ext4_mb_load_buddy_gfp+0x987/0xfa0\n[   76.982263]  ext4_discard_preallocations+0x45d/0x830\n[   76.982274]  ext4_clear_inode+0x48/0xf0\n[   76.982280]  ext4_evict_inode+0xcf/0xc70\n[   76.982285]  evict+0x119/0x2b0\n[   76.982290]  dispose_list+0x43/0xa0\n[   76.982294]  prune_icache_sb+0x64/0x90\n[   76.982298]  super_cache_scan+0x155/0x210\n[   76.982303]  do_shrink_slab+0x19e/0x4e0\n[   76.982310]  shrink_slab+0x2bd/0x450\n[   76.982317]  drop_slab+0xcc/0x1a0\n[   76.982323]  drop_caches_sysctl_handler+0xb7/0xe0\n[   76.982327]  proc_sys_call_handler+0x1bc/0x300\n[   76.982331]  proc_sys_write+0x17/0x20\n[   76.982334]  vfs_write+0x3d3/0x570\n[   76.982342]  ksys_write+0x73/0x160\n[   76.982347]  __x64_sys_write+0x1e/0x30\n[   76.982352]  do_syscall_64+0x35/0x80\n[   76.982357]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFunct\n---truncated---",
  "id": "GHSA-2rmr-vqgp-f8jv",
  "modified": "2025-10-07T18:31:09Z",
  "published": "2025-10-07T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50549"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d891cc5a1706b6908bceb56af7176a463ee6d62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e37578069737b04955c71dd85db8a3bc2709eff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8111964f1b8524c4bb56b02cd9c7a37725ea21fd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cdf7a39bcc427febbfe3c3b9fe829825ead96c27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8c26c33fef588ee54852cffa7cbb9f9d9869405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50549 (GCVE-0-2022-50549)

Vulnerability from cvelistv5

Published

2025-10-07 15:21

Modified

2025-10-07 15:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata Following concurrent processes: P1(drop cache) P2(kworker) drop_caches_sysctl_handler drop_slab shrink_slab down_read(&shrinker_rwsem) - LOCK A do_shrink_slab super_cache_scan prune_icache_sb dispose_list evict ext4_evict_inode ext4_clear_inode ext4_discard_preallocations ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_read_bh_nowait submit_bh dm_submit_bio do_worker process_deferred_bios commit metadata_operation_failed dm_pool_abort_metadata down_write(&pmd->root_lock) - LOCK B __destroy_persistent_data_objects dm_block_manager_destroy dm_bufio_client_destroy unregister_shrinker down_write(&shrinker_rwsem) thin_map | dm_thin_find_block ↓ down_read(&pmd->root_lock) --> ABBA deadlock , which triggers hung task: [ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds. [ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2 [ 76.978534] Workqueue: dm-thin do_worker [ 76.978552] Call Trace: [ 76.978564] __schedule+0x6ba/0x10f0 [ 76.978582] schedule+0x9d/0x1e0 [ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0 [ 76.978600] down_write+0xec/0x110 [ 76.978607] unregister_shrinker+0x2c/0xf0 [ 76.978616] dm_bufio_client_destroy+0x116/0x3d0 [ 76.978625] dm_block_manager_destroy+0x19/0x40 [ 76.978629] __destroy_persistent_data_objects+0x5e/0x70 [ 76.978636] dm_pool_abort_metadata+0x8e/0x100 [ 76.978643] metadata_operation_failed+0x86/0x110 [ 76.978649] commit+0x6a/0x230 [ 76.978655] do_worker+0xc6e/0xd90 [ 76.978702] process_one_work+0x269/0x630 [ 76.978714] worker_thread+0x266/0x630 [ 76.978730] kthread+0x151/0x1b0 [ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds. [ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459 [ 76.982128] Call Trace: [ 76.982139] __schedule+0x6ba/0x10f0 [ 76.982155] schedule+0x9d/0x1e0 [ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910 [ 76.982173] down_read+0x84/0x170 [ 76.982177] dm_thin_find_block+0x4c/0xd0 [ 76.982183] thin_map+0x201/0x3d0 [ 76.982188] __map_bio+0x5b/0x350 [ 76.982195] dm_submit_bio+0x2b6/0x930 [ 76.982202] __submit_bio+0x123/0x2d0 [ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0 [ 76.982222] submit_bio_noacct+0x389/0x770 [ 76.982227] submit_bio+0x50/0xc0 [ 76.982232] submit_bh_wbc+0x15e/0x230 [ 76.982238] submit_bh+0x14/0x20 [ 76.982241] ext4_read_bh_nowait+0xc5/0x130 [ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60 [ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0 [ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0 [ 76.982263] ext4_discard_preallocations+0x45d/0x830 [ 76.982274] ext4_clear_inode+0x48/0xf0 [ 76.982280] ext4_evict_inode+0xcf/0xc70 [ 76.982285] evict+0x119/0x2b0 [ 76.982290] dispose_list+0x43/0xa0 [ 76.982294] prune_icache_sb+0x64/0x90 [ 76.982298] super_cache_scan+0x155/0x210 [ 76.982303] do_shrink_slab+0x19e/0x4e0 [ 76.982310] shrink_slab+0x2bd/0x450 [ 76.982317] drop_slab+0xcc/0x1a0 [ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0 [ 76.982327] proc_sys_call_handler+0x1bc/0x300 [ 76.982331] proc_sys_write+0x17/0x20 [ 76.982334] vfs_write+0x3d3/0x570 [ 76.982342] ksys_write+0x73/0x160 [ 76.982347] __x64_sys_write+0x1e/0x30 [ 76.982352] do_syscall_64+0x35/0x80 [ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd Funct ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/200aa33b5d781e7c0fa6c0c7db9dbcc3f574ce8f
	https://git.kernel.org/stable/c/7e37578069737b04955c71dd85db8a3bc2709eff
	https://git.kernel.org/stable/c/f8c26c33fef588ee54852cffa7cbb9f9d9869405
	https://git.kernel.org/stable/c/2d891cc5a1706b6908bceb56af7176a463ee6d62
	https://git.kernel.org/stable/c/cdf7a39bcc427febbfe3c3b9fe829825ead96c27
	https://git.kernel.org/stable/c/8111964f1b8524c4bb56b02cd9c7a37725ea21fd

Impacted products

Vendor

Product

Version

Linux

Version: e49e582965b3694f07a106adc83ddb44aa4f0890
Version: e49e582965b3694f07a106adc83ddb44aa4f0890
Version: e49e582965b3694f07a106adc83ddb44aa4f0890
Version: e49e582965b3694f07a106adc83ddb44aa4f0890
Version: e49e582965b3694f07a106adc83ddb44aa4f0890
Version: e49e582965b3694f07a106adc83ddb44aa4f0890

Linux

Version: 3.6

Show details on NVD website