CVE-2022-50730
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/12/2025
Last modified:
29/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: silence the warning when evicting inode with dioread_nolock<br />
<br />
When evicting an inode with default dioread_nolock, it could be raced by<br />
the unwritten extents converting kworker after writeback some new<br />
allocated dirty blocks. It convert unwritten extents to written, the<br />
extents could be merged to upper level and free extent blocks, so it<br />
could mark the inode dirty again even this inode has been marked<br />
I_FREEING. But the inode->i_io_list check and warning in<br />
ext4_evict_inode() missing this corner case. Fortunately,<br />
ext4_evict_inode() will wait all extents converting finished before this<br />
check, so it will not lead to inode use-after-free problem, every thing<br />
is OK besides this warning. The WARN_ON_ONCE was originally designed<br />
for finding inode use-after-free issues in advance, but if we add<br />
current dioread_nolock case in, it will become not quite useful, so fix<br />
this warning by just remove this check.<br />
<br />
======<br />
WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227<br />
ext4_evict_inode+0x875/0xc60<br />
...<br />
RIP: 0010:ext4_evict_inode+0x875/0xc60<br />
...<br />
Call Trace:<br />
<br />
evict+0x11c/0x2b0<br />
iput+0x236/0x3a0<br />
do_unlinkat+0x1b4/0x490<br />
__x64_sys_unlinkat+0x4c/0xb0<br />
do_syscall_64+0x3b/0x90<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
RIP: 0033:0x7fa933c1115b<br />
======<br />
<br />
rm kworker<br />
ext4_end_io_end()<br />
vfs_unlink()<br />
ext4_unlink()<br />
ext4_convert_unwritten_io_end_vec()<br />
ext4_convert_unwritten_extents()<br />
ext4_map_blocks()<br />
ext4_ext_map_blocks()<br />
ext4_ext_try_to_merge_up()<br />
__mark_inode_dirty()<br />
check !I_FREEING<br />
locked_inode_to_wb_and_lock_list()<br />
iput()<br />
iput_final()<br />
evict()<br />
ext4_evict_inode()<br />
truncate_inode_pages_final() //wait release io_end<br />
inode_io_list_move_locked()<br />
ext4_release_io_end()<br />
trigger WARN_ON_ONCE()
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1
- https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e
- https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932
- https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3
- https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8