CVE-2022-50705 (GCVE-0-2022-50705)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
Title
io_uring/rw: defer fsnotify calls to task context
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: defer fsnotify calls to task context We can't call these off the kiocb completion as that might be off soft/hard irq context. Defer the calls to when we process the task_work for this request. That avoids valid complaints like: stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:3961 [inline] valid_state kernel/locking/lockdep.c:3973 [inline] mark_lock_irq kernel/locking/lockdep.c:4176 [inline] mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 mark_lock kernel/locking/lockdep.c:4596 [inline] mark_usage kernel/locking/lockdep.c:4527 [inline] __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __fs_reclaim_acquire mm/page_alloc.c:4674 [inline] fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688 might_alloc include/linux/sched/mm.h:271 [inline] slab_pre_alloc_hook mm/slab.h:700 [inline] slab_alloc mm/slab.c:3278 [inline] __kmem_cache_alloc_lru mm/slab.c:3471 [inline] kmem_cache_alloc+0x39/0x520 mm/slab.c:3491 fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline] fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline] fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948 send_to_group fs/notify/fsnotify.c:360 [inline] fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570 __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230 fsnotify_parent include/linux/fsnotify.h:77 [inline] fsnotify_file include/linux/fsnotify.h:99 [inline] fsnotify_access include/linux/fsnotify.h:309 [inline] __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195 io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228 iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline] iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178 bio_endio+0x5f9/0x780 block/bio.c:1564 req_bio_endio block/blk-mq.c:695 [inline] blk_update_request+0x3fc/0x1300 block/blk-mq.c:825 scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541 scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971 scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: df1ec53252d5b5b26ea49e30438741c9a6d89857 , < 89a410dbd0f159ddd308f19d6eb682fc753e4771 (git)
Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < 2a853c206e553dd9c0a55c22858fd6a446d93e15 (git)
Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < b000145e9907809406d8164c3b2b8861d95aecd1 (git)
Affected: dfbe550c8235b7e98284db37eeeddfd3b4b19b00 (git)
Affected: b436d1e92662adecafff4c95baae6352289c2d80 (git)
Create a notification for this product.
    Linux Linux Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 5.15.90 , ≤ 5.15.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "89a410dbd0f159ddd308f19d6eb682fc753e4771",
              "status": "affected",
              "version": "df1ec53252d5b5b26ea49e30438741c9a6d89857",
              "versionType": "git"
            },
            {
              "lessThan": "2a853c206e553dd9c0a55c22858fd6a446d93e15",
              "status": "affected",
              "version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
              "versionType": "git"
            },
            {
              "lessThan": "b000145e9907809406d8164c3b2b8861d95aecd1",
              "status": "affected",
              "version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dfbe550c8235b7e98284db37eeeddfd3b4b19b00",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b436d1e92662adecafff4c95baae6352289c2d80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/rw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.90",
                  "versionStartIncluding": "5.15.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.16.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: defer fsnotify calls to task context\n\nWe can\u0027t call these off the kiocb completion as that might be off\nsoft/hard irq context. Defer the calls to when we process the\ntask_work for this request. That avoids valid complaints like:\n\nstack backtrace:\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_usage_bug kernel/locking/lockdep.c:3961 [inline]\n valid_state kernel/locking/lockdep.c:3973 [inline]\n mark_lock_irq kernel/locking/lockdep.c:4176 [inline]\n mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632\n mark_lock kernel/locking/lockdep.c:4596 [inline]\n mark_usage kernel/locking/lockdep.c:4527 [inline]\n __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007\n lock_acquire kernel/locking/lockdep.c:5666 [inline]\n lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]\n fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688\n might_alloc include/linux/sched/mm.h:271 [inline]\n slab_pre_alloc_hook mm/slab.h:700 [inline]\n slab_alloc mm/slab.c:3278 [inline]\n __kmem_cache_alloc_lru mm/slab.c:3471 [inline]\n kmem_cache_alloc+0x39/0x520 mm/slab.c:3491\n fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]\n fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]\n fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948\n send_to_group fs/notify/fsnotify.c:360 [inline]\n fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570\n __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230\n fsnotify_parent include/linux/fsnotify.h:77 [inline]\n fsnotify_file include/linux/fsnotify.h:99 [inline]\n fsnotify_access include/linux/fsnotify.h:309 [inline]\n __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195\n io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228\n iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]\n iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178\n bio_endio+0x5f9/0x780 block/bio.c:1564\n req_bio_endio block/blk-mq.c:695 [inline]\n blk_update_request+0x3fc/0x1300 block/blk-mq.c:825\n scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541\n scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971\n scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438\n blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022\n __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571\n invoke_softirq kernel/softirq.c:445 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:20.020Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15"
        },
        {
          "url": "https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1"
        }
      ],
      "title": "io_uring/rw: defer fsnotify calls to task context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50705",
    "datePublished": "2025-12-24T10:55:20.020Z",
    "dateReserved": "2025-12-24T10:53:15.518Z",
    "dateUpdated": "2025-12-24T10:55:20.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.