CVE-2022-50534
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: dm thin: Use last transaction's pmd->root when commit failed Recently we found a softlock up problem in dm thin pool btree lookup code due to corrupted metadata: Kernel panic - not syncing: softlockup: hung tasks CPU: 7 PID: 2669225 Comm: kworker/u16:3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: dm-thin do_worker [dm_thin_pool] Call Trace: <IRQ> dump_stack+0x9c/0xd3 panic+0x35d/0x6b9 watchdog_timer_fn.cold+0x16/0x25 __run_hrtimer+0xa2/0x2d0 </IRQ> RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio] __bufio_new+0x11f/0x4f0 [dm_bufio] new_read+0xa3/0x1e0 [dm_bufio] dm_bm_read_lock+0x33/0xd0 [dm_persistent_data] ro_step+0x63/0x100 [dm_persistent_data] btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data] dm_btree_lookup+0x16f/0x210 [dm_persistent_data] dm_thin_find_block+0x12c/0x210 [dm_thin_pool] __process_bio_read_only+0xc5/0x400 [dm_thin_pool] process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool] process_one_work+0x3c5/0x730 Following process may generate a broken btree mixed with fresh and stale btree nodes, which could get dm thin trapped in an infinite loop while looking up data block: Transaction 1: pmd->root = A, A->B->C // One path in btree pmd->root = X, X->Y->Z // Copy-up Transaction 2: X,Z is updated on disk, Y write failed. // Commit failed, dm thin becomes read-only. process_bio_read_only dm_thin_find_block __find_block dm_btree_lookup(pmd->root) The pmd->root points to a broken btree, Y may contain stale node pointing to any block, for example X, which gets dm thin trapped into a dead loop while looking up Z. Fix this by setting pmd->root in __open_metadata(), so that dm thin will use the last transaction's pmd->root if commit failed. Fetch a reproducer in [Link]. Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
Analysis
A logic error in the Linux kernel's device mapper thin pool module causes infinite loops and system hangs when metadata commits fail. The vulnerability affects Linux kernel systems with dm-thin storage pools; when a commit fails during btree metadata operations, the pmd->root pointer is not properly restored to the last valid transaction state, causing subsequent read operations to traverse a corrupted btree structure. An unprivileged local attacker with access to the system can trigger this denial of service condition, resulting in kernel softlockups and system hangs. While no public exploit code is widely distributed, the vulnerability is straightforward to trigger through storage I/O operations on affected systems.
Technical Context
The Linux kernel's device mapper (dm) subsystem provides logical volume management, with the dm-thin module implementing thin provisioning for block storage. The vulnerability resides in the btree metadata management code within dm-thin's persistent metadata handling (pmd). When a transaction commit fails during btree copy-up operations (internal node redistribution), the root pointer (pmd->root) is not properly reset to the previous transaction's valid root value. Instead, it remains pointing to a partially-updated btree containing a mix of stale and fresh nodes. Subsequent btree lookups via dm_btree_lookup() traverse this corrupted structure, potentially following stale pointers in internal nodes that create circular references or infinite paths. The affected component is the Linux kernel across all versions with dm-thin functionality (CPE: cpe:2.3:o:linux:linux_kernel). The root cause is improper state management during transaction rollback, which relates to improper resource cleanup and state consistency (CWE-664 equivalent behavior).
Affected Products
The Linux kernel is the sole affected product, with all versions containing dm-thin functionality vulnerable prior to the patches. The vulnerability affects the entire Linux kernel ecosystem across all architectures and distributions (CPE: cpe:2.3:o:linux:linux_kernel). Patches have been released and integrated into stable kernel series; the upstream kernel repository contains fixes via commits 3db757ffdd87ed8d7118b2250236a496502a660f, 4b710e8481ade7c9200e94d3018e99dc42a0a0e8, 7991dbff6849f67e823b7cc0c15e5a90b0549b9f, 87d69b8824ca9b090f5a8ed47f758e8f6eecb871, 94f01ecc2aa0be992865acc80ebb6701f731f955, a63ce4eca86fd207e3db07c00fb7ccf4adf1b230, b35a22760aa5008d82533e59b0f0b5eb1b02d4e5, b91f481300e3a10eaf66b94fc39b740928762aaf, and f758987ff0af3a4b5ee69e95cab6a5294e4367b0. Distributions deploying thin provisioning for virtual machine or container storage (such as those using LVM thin pools) are most directly affected.
Remediation
Upgrade the Linux kernel to a version incorporating one of the nine available patches listed in the upstream stable kernel repository (git.kernel.org/stable/c/). Specific kernel versions should be verified through your distribution's kernel release notes; major distributions including Red Hat, Canonical, SUSE, and Debian have backported fixes to their stable branches. Until kernel patching is completed, operators can mitigate risk by disabling thin provisioning for non-critical workloads, implementing strict I/O error handling policies that fail fast rather than allowing retry storms, and monitoring kernel logs for btree lookup warnings. For production systems, coordinate kernel updates during scheduled maintenance windows, as the fix requires a reboot. Verify patch application by confirming the presence of the pmd->root restoration logic in dm_thin's __open_metadata() function via kernel source inspection or distribution package changelogs.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today