{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: io_uring/rw: defer fsnotify calls to task context", "id" : "2424993", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424993" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-821", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nio_uring/rw: defer fsnotify calls to task context\nWe can't call these off the kiocb completion as that might be off\nsoft/hard irq context. Defer the calls to when we process the\ntask_work for this request. That avoids valid complaints like:\nstack backtrace:\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_usage_bug kernel/locking/lockdep.c:3961 [inline]\nvalid_state kernel/locking/lockdep.c:3973 [inline]\nmark_lock_irq kernel/locking/lockdep.c:4176 [inline]\nmark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632\nmark_lock kernel/locking/lockdep.c:4596 [inline]\nmark_usage kernel/locking/lockdep.c:4527 [inline]\n__lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007\nlock_acquire kernel/locking/lockdep.c:5666 [inline]\nlock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n__fs_reclaim_acquire mm/page_alloc.c:4674 [inline]\nfs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688\nmight_alloc include/linux/sched/mm.h:271 [inline]\nslab_pre_alloc_hook mm/slab.h:700 [inline]\nslab_alloc mm/slab.c:3278 [inline]\n__kmem_cache_alloc_lru mm/slab.c:3471 [inline]\nkmem_cache_alloc+0x39/0x520 mm/slab.c:3491\nfanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]\nfanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]\nfanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948\nsend_to_group fs/notify/fsnotify.c:360 [inline]\nfsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570\n__fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230\nfsnotify_parent include/linux/fsnotify.h:77 [inline]\nfsnotify_file include/linux/fsnotify.h:99 [inline]\nfsnotify_access include/linux/fsnotify.h:309 [inline]\n__io_complete_rw_common+0x485/0x720 io_uring/rw.c:195\nio_complete_rw+0x1a/0x1f0 io_uring/rw.c:228\niomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]\niomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178\nbio_endio+0x5f9/0x780 block/bio.c:1564\nreq_bio_endio block/blk-mq.c:695 [inline]\nblk_update_request+0x3fc/0x1300 block/blk-mq.c:825\nscsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541\nscsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971\nscsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438\nblk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022\n__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571\ninvoke_softirq kernel/softirq.c:445 [inline]\n__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\nirq_exit_rcu+0x5/0x20 kernel/softirq.c:662\ncommon_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240", "A locking context violation was found in the Linux kernel's io_uring subsystem. The fsnotify calls were being made directly from kiocb completion context, which can execute in soft or hard IRQ context. This causes lockdep warnings when fsnotify attempts memory allocation with GFP_KERNEL flags, which is not permitted in IRQ context. The fix defers fsnotify calls to task_work processing." ], "statement" : "This is primarily a lockdep/locking correctness issue rather than an exploitable security vulnerability. The fsnotify calls from IRQ context violate locking rules but the practical impact is limited to lockdep warnings under debug configurations. The memory allocation in IRQ context could theoretically cause issues under memory pressure, but would typically result in allocation failure rather than memory corruption.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50705\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50705\nhttps://lore.kernel.org/linux-cve-announce/2025122419-CVE-2022-50705-8196@gregkh/T" ], "name" : "CVE-2022-50705", "csaw" : false }