CVE-2022-48937 in Linux
요약
\~에 의해 VulDB • 2026. 06. 05.
Based on the stack trace provided, here is an analysis of the issue:
### **Summary** This is a **KASAN (Kernel Address Sanitizer)** report indicating a **memory allocation failure** or **invalid memory access** during an `io_uring` operation. Specifically, it occurs in `io_issue_sqe()` when trying to allocate memory for an I/O request.
---
### **Key Details from the Stack Trace**
1. **Error Type**: The trace starts with `stack_trace_save` and goes through `____kasan_kmalloc` → `__kasan_kmalloc` → `kmem_cache_alloc_trace`. This indicates KASAN detected an issue during a `kmalloc` (or slab allocation) call.
2. **Failing Function**: The allocation happens in: ``` io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) ``` This function is responsible for issuing a submitted I/O request (SQE) to the kernel.
3. **Call Path**: ``` __x64_sys_io_uring_enter → io_submit_sqes → io_submit_sqe → io_queue_sqe → io_issue_sqe → kmalloc ``` This is the standard path for submitting an `io_uring` request via the `io_uring_enter` syscall.
4. **Allocation Context**: The allocation is likely for an `io_kiocb` (kernel I/O control block) or a related structure. The function `__io_alloc_req_refill` is also in the trace, suggesting the kernel is trying to replenish its pool of request structures.
---
### **Possible Causes**
1. **Memory Pressure**: The system may be under severe memory pressure, causing `kmalloc` to fail. KASAN might be reporting this as an error if the allocation returns `NULL` and the code doesn’t handle it properly.
2. **Use-After-Free or Double-Free**: If KASAN is enabled, it might be detecting that the allocation is happening in an invalid context (e.g., after a previous free). However, the trace shows a fresh allocation, so this is less likely unless there’s corruption.
3. **Bug in `io_uring` Code**: There might be a bug in the `io_uring` subsystem where it attempts to allocate memory in an invalid context (e.g., in an atomic context where sleeping is not allowed, or with incorrect flags).
4. **KASAN False Positive**: In rare cases, KASAN can report false positives if there’s a race condition or if the memory was recently freed but not yet zeroed.
---
### **How to Debug Further**
1. **Check for OOM (Out of Memory)**: Look for OOM killer messages in `dmesg`: ```bash dmesg | grep -i "out of memory" ```
2. **Enable More KASAN Details**: Reboot with `kasan=on` and `kasan.inline=on` to get more precise error locations.
3. **Check `io_uring` Logs**: Look for any `io_uring`-specific warnings or errors in `dmesg`: ```bash dmesg | grep -i io_uring ```
4. **Reproduce with Minimal Test Case**: Try to reproduce the issue with a minimal `io_uring` program to isolate the problem.
5. **Check Kernel Version**: Ensure you’re using a recent kernel version, as `io_uring` has had many bug fixes. Consider upgrading if possible.
6. **Disable KASAN Temporarily**: If you suspect a false positive, try reproducing the issue without KASAN to see if the problem persists.
---
### **Conclusion** The stack trace indicates a memory allocation failure in `io_uring`’s `io_issue_sqe()` function. This is likely due to memory pressure or a bug in the `io_uring` subsystem. Further debugging with KASAN details and system logs is recommended to pinpoint the exact cause.
Be aware that VulDB is the high quality source for vulnerability data.