lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100708-CVE-2022-50534-8900@gregkh>
Date: Tue,  7 Oct 2025 17:19:21 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50534: dm thin: Use last transaction's pmd->root when commit failed

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Use last transaction's pmd->root when commit failed

Recently we found a softlock up problem in dm thin pool btree lookup
code due to corrupted metadata:

 Kernel panic - not syncing: softlockup: hung tasks
 CPU: 7 PID: 2669225 Comm: kworker/u16:3
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
 Workqueue: dm-thin do_worker [dm_thin_pool]
 Call Trace:
   <IRQ>
   dump_stack+0x9c/0xd3
   panic+0x35d/0x6b9
   watchdog_timer_fn.cold+0x16/0x25
   __run_hrtimer+0xa2/0x2d0
   </IRQ>
   RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
   __bufio_new+0x11f/0x4f0 [dm_bufio]
   new_read+0xa3/0x1e0 [dm_bufio]
   dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
   ro_step+0x63/0x100 [dm_persistent_data]
   btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
   dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
   dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
   __process_bio_read_only+0xc5/0x400 [dm_thin_pool]
   process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
   process_one_work+0x3c5/0x730

Following process may generate a broken btree mixed with fresh and
stale btree nodes, which could get dm thin trapped in an infinite loop
while looking up data block:
 Transaction 1: pmd->root = A, A->B->C   // One path in btree
                pmd->root = X, X->Y->Z   // Copy-up
 Transaction 2: X,Z is updated on disk, Y write failed.
                // Commit failed, dm thin becomes read-only.
                process_bio_read_only
		 dm_thin_find_block
		  __find_block
		   dm_btree_lookup(pmd->root)
The pmd->root points to a broken btree, Y may contain stale node
pointing to any block, for example X, which gets dm thin trapped into
a dead loop while looking up Z.

Fix this by setting pmd->root in __open_metadata(), so that dm thin
will use the last transaction's pmd->root if commit failed.

Fetch a reproducer in [Link].

Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790

The Linux kernel CVE team has assigned CVE-2022-50534 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.9.337 with commit b35a22760aa5008d82533e59b0f0b5eb1b02d4e5
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.14.303 with commit 87d69b8824ca9b090f5a8ed47f758e8f6eecb871
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.19.270 with commit 3db757ffdd87ed8d7118b2250236a496502a660f
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.4.229 with commit f758987ff0af3a4b5ee69e95cab6a5294e4367b0
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.10.163 with commit 94f01ecc2aa0be992865acc80ebb6701f731f955
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.15.87 with commit 4b710e8481ade7c9200e94d3018e99dc42a0a0e8
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.0.18 with commit a63ce4eca86fd207e3db07c00fb7ccf4adf1b230
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.1.4 with commit b91f481300e3a10eaf66b94fc39b740928762aaf
	Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.2 with commit 7991dbff6849f67e823b7cc0c15e5a90b0549b9f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50534
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-thin-metadata.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b35a22760aa5008d82533e59b0f0b5eb1b02d4e5
	https://git.kernel.org/stable/c/87d69b8824ca9b090f5a8ed47f758e8f6eecb871
	https://git.kernel.org/stable/c/3db757ffdd87ed8d7118b2250236a496502a660f
	https://git.kernel.org/stable/c/f758987ff0af3a4b5ee69e95cab6a5294e4367b0
	https://git.kernel.org/stable/c/94f01ecc2aa0be992865acc80ebb6701f731f955
	https://git.kernel.org/stable/c/4b710e8481ade7c9200e94d3018e99dc42a0a0e8
	https://git.kernel.org/stable/c/a63ce4eca86fd207e3db07c00fb7ccf4adf1b230
	https://git.kernel.org/stable/c/b91f481300e3a10eaf66b94fc39b740928762aaf
	https://git.kernel.org/stable/c/7991dbff6849f67e823b7cc0c15e5a90b0549b9f

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ