CVE-2022-50563 in Linux
Summary
by MITRE • 10/22/2025
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Fix UAF in run_timer_softirq()
When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows:
BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
Call Trace: dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0
One of the concurrency UAF can be shown as below:
use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed
This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3
The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen.
Therefore, cancelling timer again in __pool_destroy().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2022-50563 represents a use-after-free condition in the Linux kernel's device mapper thin provisioning subsystem, specifically within the dm thin module. This flaw occurs during concurrent execution of dm_resume() and dm_destroy() operations, creating a race condition that leads to memory corruption. The issue manifests when the kernel attempts to execute a timer callback function run_timer_softirq() after a pool structure has already been freed, resulting in a use-after-free error that can be exploited to compromise system stability and potentially execute arbitrary code. The vulnerability is particularly concerning as it operates at the kernel level, where such flaws can lead to complete system compromise.
The technical root cause of this vulnerability lies in the improper handling of timer cleanup during concurrent device mapper operations. When dm_destroy() is called while dm_resume() is still executing, the system fails to properly cancel pending timers before freeing the associated memory structures. The kernel's timer subsystem continues to execute callbacks against freed memory, specifically targeting the pool structure that was already deallocated during the destruction process. This scenario is classified as a race condition that violates fundamental memory safety principles, where concurrent threads access shared resources without proper synchronization mechanisms. The vulnerability demonstrates poor resource management in kernel space, where timer cleanup operations are not adequately coordinated with resource deallocation.
The operational impact of CVE-2022-50563 extends beyond simple system instability to potentially enable privilege escalation and denial of service attacks. An attacker who can trigger the specific sequence of operations involving concurrent suspend/resume and removal operations can force the kernel into an inconsistent state where memory corruption occurs. This can lead to system crashes, data corruption, or in more sophisticated exploitation scenarios, arbitrary code execution with kernel privileges. The vulnerability affects systems using device mapper thin provisioning, which is commonly deployed in enterprise storage environments, virtualization platforms, and containerized applications that rely on thin provisioning for efficient storage management. The attack vector requires specific timing and concurrent operations but can be reliably reproduced in controlled environments.
Mitigation strategies for this vulnerability involve implementing proper synchronization mechanisms and ensuring timer cleanup occurs before resource deallocation. The fix requires modifying the __pool_destroy function to explicitly cancel any pending timers before proceeding with memory deallocation, preventing the execution of callbacks against freed memory structures. System administrators should ensure immediate patching of affected kernel versions, particularly those running device mapper thin provisioning workloads. Additional defensive measures include monitoring for concurrent device mapper operations and implementing proper resource management policies that prevent the conditions leading to this race condition. Organizations should also consider implementing kernel hardening techniques such as kasan (kernel address sanitizer) and other memory safety mechanisms to detect similar vulnerabilities. This vulnerability aligns with CWE-416 (Use After Free) and can be categorized under ATT&CK technique T1068 (Exploitation for Privilege Escalation) when exploited effectively. The fix demonstrates the importance of proper concurrent programming practices in kernel space, where race conditions can have catastrophic consequences for system integrity and security.