CVE-2022-49270

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49270
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49270.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49270
Downstream
Related
Published
2025-02-26T01:56:17Z
Modified
2025-10-21T09:38:31.730095Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
dm: fix use-after-free in dm_cleanup_zoned_dev()
Details

In the Linux kernel, the following vulnerability has been resolved:

dm: fix use-after-free in dmcleanupzoned_dev()

dmcleanupzoneddev() uses queue, so it must be called before blkcleanup_disk() starts its killing:

blkcleanupdisk->blkcleanupqueue()->kobjectput()->blkreleasequeue()-> ->...RCU...->blkfreequeuercu()->kmemcachefree()

Otherwise, RCU callback may be executed first and dmcleanupzoned_dev() will touch free'd memory:

BUG: KASAN: use-after-free in dmcleanupzoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681

CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x57/0x7d printaddressdescription.constprop.0+0x1f/0x150 ? dmcleanupzoneddev+0x33/0xd0 kasanreport.cold+0x7f/0x11b ? dmcleanupzoneddev+0x33/0xd0 dmcleanupzoneddev+0x33/0xd0 _dmdestroy+0x26a/0x400 ? dmblkioctl+0x230/0x230 ? upwrite+0xd8/0x270 devremove+0x156/0x1d0 ctlioctl+0x269/0x530 ? tableclear+0x140/0x140 ? lockrelease+0xb2/0x750 ? removeall+0x40/0x40 ? rcureadlockschedheld+0x12/0x70 ? lockdowngrade+0x3c0/0x3c0 ? rcureadlockschedheld+0x12/0x70 dmctlioctl+0xa/0x10 _x64sysioctl+0xb9/0xf0 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb37d77239af25cde59693dbe3fac04dd17d7b29
Fixed
0987f00a76a17aa7213da492c00ed9e5a6210c73
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb37d77239af25cde59693dbe3fac04dd17d7b29
Fixed
fdfe414ca28ddfd562c233fb27385cf820de03e8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb37d77239af25cde59693dbe3fac04dd17d7b29
Fixed
43a043aed964659bc69ef81f266912b73c80d837
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bb37d77239af25cde59693dbe3fac04dd17d7b29
Fixed
588b7f5df0cb64f281290c7672470c006abe7160

Affected versions

v5.*

v5.13
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfe414ca28ddfd562c233fb27385cf820de03e8",
        "target": {
            "function": "cleanup_mapped_device",
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "function_hash": "81366426606027698239026287965572939256",
            "length": 785.0
        },
        "deprecated": false,
        "id": "CVE-2022-49270-01f4dc14",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0987f00a76a17aa7213da492c00ed9e5a6210c73",
        "target": {
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "line_hashes": [
                "256538427029333137851255072979133780673",
                "13817241541847778795473884006236546381",
                "282172158870113756668348867881738317120",
                "79558354655916324936995770778617082608",
                "67253472398455296585966915240653246454",
                "154955768871407162014361812966719815322",
                "250212884710974208667930581639527162819"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2022-49270-3bbd4295",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0987f00a76a17aa7213da492c00ed9e5a6210c73",
        "target": {
            "function": "cleanup_mapped_device",
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "function_hash": "81366426606027698239026287965572939256",
            "length": 785.0
        },
        "deprecated": false,
        "id": "CVE-2022-49270-74901d2e",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@588b7f5df0cb64f281290c7672470c006abe7160",
        "target": {
            "function": "cleanup_mapped_device",
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "function_hash": "65022243914042807747895342230750590298",
            "length": 909.0
        },
        "deprecated": false,
        "id": "CVE-2022-49270-91e2f02b",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43a043aed964659bc69ef81f266912b73c80d837",
        "target": {
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "line_hashes": [
                "256538427029333137851255072979133780673",
                "13817241541847778795473884006236546381",
                "282172158870113756668348867881738317120",
                "79558354655916324936995770778617082608",
                "67253472398455296585966915240653246454",
                "154955768871407162014361812966719815322",
                "250212884710974208667930581639527162819"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2022-49270-bd9949c1",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@588b7f5df0cb64f281290c7672470c006abe7160",
        "target": {
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "line_hashes": [
                "256538427029333137851255072979133780673",
                "13817241541847778795473884006236546381",
                "282172158870113756668348867881738317120",
                "79558354655916324936995770778617082608",
                "67253472398455296585966915240653246454",
                "154955768871407162014361812966719815322",
                "250212884710974208667930581639527162819"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2022-49270-be0645ea",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfe414ca28ddfd562c233fb27385cf820de03e8",
        "target": {
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "line_hashes": [
                "256538427029333137851255072979133780673",
                "13817241541847778795473884006236546381",
                "282172158870113756668348867881738317120",
                "79558354655916324936995770778617082608",
                "67253472398455296585966915240653246454",
                "154955768871407162014361812966719815322",
                "250212884710974208667930581639527162819"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2022-49270-c1f36989",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43a043aed964659bc69ef81f266912b73c80d837",
        "target": {
            "function": "cleanup_mapped_device",
            "file": "drivers/md/dm.c"
        },
        "digest": {
            "function_hash": "334098829510560124021196836905366526636",
            "length": 814.0
        },
        "deprecated": false,
        "id": "CVE-2022-49270-c641f9b3",
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.33
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.19
Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.2