CVE-2022-50534 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Use last transaction's pmd->root when commit failed
Recently we found a softlock up problem in dm thin pool btree lookup code due to corrupted metadata:
Kernel panic - not syncing: softlockup: hung tasks CPU: 7 PID: 2669225 Comm: kworker/u16:3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: dm-thin do_worker [dm_thin_pool]
Call Trace: <IRQ> dump_stack+0x9c/0xd3 panic+0x35d/0x6b9 watchdog_timer_fn.cold+0x16/0x25 __run_hrtimer+0xa2/0x2d0 </IRQ> RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
__bufio_new+0x11f/0x4f0 [dm_bufio]
new_read+0xa3/0x1e0 [dm_bufio]
dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
ro_step+0x63/0x100 [dm_persistent_data]
btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
__process_bio_read_only+0xc5/0x400 [dm_thin_pool]
process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
process_one_work+0x3c5/0x730
Following process may generate a broken btree mixed with fresh and stale btree nodes, which could get dm thin trapped in an infinite loop while looking up data block: Transaction 1: pmd->root = A, A->B->C // One path in btree pmd->root = X, X->Y->Z // Copy-up Transaction 2: X,Z is updated on disk, Y write failed. // Commit failed, dm thin becomes read-only. process_bio_read_only dm_thin_find_block __find_block dm_btree_lookup(pmd->root) The pmd->root points to a broken btree, Y may contain stale node pointing to any block, for example X, which gets dm thin trapped into a dead loop while looking up Z.
Fix this by setting pmd->root in __open_metadata(), so that dm thin will use the last transaction's pmd->root if commit failed.
Fetch a reproducer in [Link].
Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability described in CVE-2022-50534 affects the Linux kernel's device mapper thin provisioning subsystem, specifically within the dm-thin-pool driver. This issue manifests as a soft lockup condition that occurs during btree lookup operations when metadata becomes corrupted. The problem stems from improper handling of metadata transaction states following failed commits, creating a scenario where the system becomes unresponsive due to infinite loop conditions in the btree traversal logic. The kernel panic message indicates a softlockup event where the system detected hung tasks on CPU 7, with the call trace showing the execution path leading to the problematic code in the dm_bufio and dm_persistent_data modules.
The technical flaw occurs in the dm-thin-pool implementation where the pmd->root pointer is not properly managed during transaction failures. When a metadata transaction fails to commit, the system enters a read-only state but the pmd->root pointer retains a reference to a corrupted btree structure. This corruption creates a situation where stale btree nodes point to invalid memory locations, leading to circular references that cause the btree lookup function to loop indefinitely. The vulnerability is particularly dangerous because it can be triggered by a sequence of operations involving metadata updates where intermediate write operations fail, leaving the btree in an inconsistent state. The specific scenario involves two transactions where the second transaction fails during commit, but the system continues to reference stale btree nodes through the pmd->root pointer.
The operational impact of this vulnerability is severe as it can cause complete system lockup and requires manual intervention to recover. The softlockup condition prevents the system from processing any further tasks, effectively making the affected system unusable until a reboot occurs. This vulnerability affects systems using device mapper thin provisioning, which is commonly found in virtualization environments and storage solutions that utilize thin provisioning techniques. The infinite loop in the btree lookup code means that even simple read operations can cause the entire system to hang, making this a critical issue for production environments where system stability is paramount. The vulnerability is particularly concerning in high-availability environments where such a lockup could lead to service disruption and potential data loss.
The fix implemented addresses this vulnerability by modifying the __open_metadata() function to properly set the pmd->root pointer to reference the last successful transaction's metadata structure. This ensures that when a transaction commit fails, the system will use the most recent valid btree structure instead of the corrupted one that could cause infinite loops. The solution aligns with the principle of defensive programming by ensuring that corrupted state is not propagated through the system. This fix prevents the scenario where stale btree nodes pointing to invalid memory locations could cause the system to enter an infinite loop during lookup operations. The approach follows best practices for error recovery in storage systems by maintaining consistent metadata state even when individual transactions fail. This vulnerability is classified under CWE-839 as it involves improper handling of data validation and consistency in metadata structures, and could be exploited through the ATT&CK technique of privilege escalation or denial of service by causing system lockups. The fix ensures proper state management and prevents the propagation of corrupted metadata through the device mapper thin provisioning subsystem, thereby restoring system stability and preventing the softlockup conditions that could otherwise render systems unusable.