{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata",
    "id" : "2402251",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402251"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata\nFollowing concurrent processes:\nP1(drop cache)                P2(kworker)\ndrop_caches_sysctl_handler\ndrop_slab\nshrink_slab\ndown_read(&shrinker_rwsem)  - LOCK A\ndo_shrink_slab\nsuper_cache_scan\nprune_icache_sb\ndispose_list\nevict\next4_evict_inode\next4_clear_inode\next4_discard_preallocations\next4_mb_load_buddy_gfp\next4_mb_init_cache\next4_read_block_bitmap_nowait\next4_read_bh_nowait\nsubmit_bh\ndm_submit_bio\ndo_worker\nprocess_deferred_bios\ncommit\nmetadata_operation_failed\ndm_pool_abort_metadata\ndown_write(&pmd->root_lock) - LOCK B\n__destroy_persistent_data_objects\ndm_block_manager_destroy\ndm_bufio_client_destroy\nunregister_shrinker\ndown_write(&shrinker_rwsem)\nthin_map                            |\ndm_thin_find_block                 ↓\ndown_read(&pmd->root_lock) --> ABBA deadlock\n, which triggers hung task:\n[   76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.\n[   76.976019]       Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[   76.978521] task:kworker/u4:3    state:D stack:0     pid:63    ppid:2\n[   76.978534] Workqueue: dm-thin do_worker\n[   76.978552] Call Trace:\n[   76.978564]  __schedule+0x6ba/0x10f0\n[   76.978582]  schedule+0x9d/0x1e0\n[   76.978588]  rwsem_down_write_slowpath+0x587/0xdf0\n[   76.978600]  down_write+0xec/0x110\n[   76.978607]  unregister_shrinker+0x2c/0xf0\n[   76.978616]  dm_bufio_client_destroy+0x116/0x3d0\n[   76.978625]  dm_block_manager_destroy+0x19/0x40\n[   76.978629]  __destroy_persistent_data_objects+0x5e/0x70\n[   76.978636]  dm_pool_abort_metadata+0x8e/0x100\n[   76.978643]  metadata_operation_failed+0x86/0x110\n[   76.978649]  commit+0x6a/0x230\n[   76.978655]  do_worker+0xc6e/0xd90\n[   76.978702]  process_one_work+0x269/0x630\n[   76.978714]  worker_thread+0x266/0x630\n[   76.978730]  kthread+0x151/0x1b0\n[   76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.\n[   76.979756]       Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[   76.982111] task:test.sh         state:D stack:0     pid:2646  ppid:2459\n[   76.982128] Call Trace:\n[   76.982139]  __schedule+0x6ba/0x10f0\n[   76.982155]  schedule+0x9d/0x1e0\n[   76.982159]  rwsem_down_read_slowpath+0x4f4/0x910\n[   76.982173]  down_read+0x84/0x170\n[   76.982177]  dm_thin_find_block+0x4c/0xd0\n[   76.982183]  thin_map+0x201/0x3d0\n[   76.982188]  __map_bio+0x5b/0x350\n[   76.982195]  dm_submit_bio+0x2b6/0x930\n[   76.982202]  __submit_bio+0x123/0x2d0\n[   76.982209]  submit_bio_noacct_nocheck+0x101/0x3e0\n[   76.982222]  submit_bio_noacct+0x389/0x770\n[   76.982227]  submit_bio+0x50/0xc0\n[   76.982232]  submit_bh_wbc+0x15e/0x230\n[   76.982238]  submit_bh+0x14/0x20\n[   76.982241]  ext4_read_bh_nowait+0xc5/0x130\n[   76.982247]  ext4_read_block_bitmap_nowait+0x340/0xc60\n[   76.982254]  ext4_mb_init_cache+0x1ce/0xdc0\n[   76.982259]  ext4_mb_load_buddy_gfp+0x987/0xfa0\n[   76.982263]  ext4_discard_preallocations+0x45d/0x830\n[   76.982274]  ext4_clear_inode+0x48/0xf0\n[   76.982280]  ext4_evict_inode+0xcf/0xc70\n[   76.982285]  evict+0x119/0x2b0\n[   76.982290]  dispose_list+0x43/0xa0\n[   76.982294]  prune_icache_sb+0x64/0x90\n[   76.982298]  super_cache_scan+0x155/0x210\n[   76.982303]  do_shrink_slab+0x19e/0x4e0\n[   76.982310]  shrink_slab+0x2bd/0x450\n[   76.982317]  drop_slab+0xcc/0x1a0\n[   76.982323]  drop_caches_sysctl_handler+0xb7/0xe0\n[   76.982327]  proc_sys_call_handler+0x1bc/0x300\n[   76.982331]  proc_sys_write+0x17/0x20\n[   76.982334]  vfs_write+0x3d3/0x570\n[   76.982342]  ksys_write+0x73/0x160\n[   76.982347]  __x64_sys_write+0x1e/0x30\n[   76.982352]  do_syscall_64+0x35/0x80\n[   76.982357]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\nFunct\n---truncated---", "An ABBA deadlock flaw was found in the Linux kernel's device-mapper thin provisioning subsystem between the memory reclaim path and metadata abort handling. A local user can trigger this issue by initiating cache drop operations while dm-thin operations are active, causing process P1 to hold shrinker_rwsem and wait for pmd->root_lock while process P2 holds pmd->root_lock and waits for shrinker_rwsem during metadata abort. This results in a deadlock manifesting as hung tasks and system unresponsiveness, leading to denial of service." ],
  "statement" : "The deadlock occurs through a specific interaction between memory management and device-mapper operations. When cache is dropped (via /proc/sys/vm/drop_caches), the shrink_slab path acquires shrinker_rwsem for reading, then processes filesystem operations that may involve dm-thin devices. Concurrently, when dm-thin metadata operations fail, the dm_pool_abort_metadata function acquires pmd->root_lock, destroys the block manager (which unregisters a shrinker), and attempts to acquire shrinker_rwsem for writing. Meanwhile, thin_map operations acquire pmd->root_lock for reading. This creates an ABBA deadlock: P1 holds shrinker_rwsem→waits for pmd->root_lock, P2 holds pmd->root_lock→waits for shrinker_rwsem.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50549\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50549\nhttps://lore.kernel.org/linux-cve-announce/2025100758-CVE-2022-50549-cb07@gregkh/T" ],
  "name" : "CVE-2022-50549",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the dm_thin_pool module from being loaded. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}