{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50730", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T12:20:40.330Z", "datePublished": "2025-12-24T12:22:50.416Z", "dateUpdated": "2025-12-24T12:22:50.416Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T12:22:50.416Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode->i_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n <TASK>\n evict+0x11c/0x2b0\n iput+0x236/0x3a0\n do_unlinkat+0x1b4/0x490\n __x64_sys_unlinkat+0x4c/0xb0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm kworker\n ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n ext4_convert_unwritten_io_end_vec()\n ext4_convert_unwritten_extents()\n ext4_map_blocks()\n ext4_ext_map_blocks()\n ext4_ext_try_to_merge_up()\n __mark_inode_dirty()\n check !I_FREEING\n locked_inode_to_wb_and_lock_list()\n iput()\n iput_final()\n evict()\n ext4_evict_inode()\n truncate_inode_pages_final() //wait release io_end\n inode_io_list_move_locked()\n ext4_release_io_end()\n trigger WARN_ON_ONCE()"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/inode.c"], "versions": [{"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84", "lessThan": "bdc698ce91f232fd5eb11d2373e9f82f687314b8", "status": "affected", "versionType": "git"}, {"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84", "lessThan": "0d041b7251c13679a0f6c7926751ce1d8a7237c1", "status": "affected", "versionType": "git"}, {"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84", "lessThan": "3b893cc9a8d8b4e486a6639f5e107b56b7197d2e", "status": "affected", "versionType": "git"}, {"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84", "lessThan": "b085fb43feede48ebf80ab7e2dd150c8d9902932", "status": "affected", "versionType": "git"}, {"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84", "lessThan": "bc12ac98ea2e1b70adc6478c8b473a0003b659d3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/inode.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.163", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.87", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.18", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.4", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.0.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8"}, {"url": "https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1"}, {"url": "https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e"}, {"url": "https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932"}, {"url": "https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3"}], "title": "ext4: silence the warning when evicting inode with dioread_nolock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode->i_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n <TASK>\n evict+0x11c/0x2b0\n iput+0x236/0x3a0\n do_unlinkat+0x1b4/0x490\n __x64_sys_unlinkat+0x4c/0xb0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm kworker\n ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n ext4_convert_unwritten_io_end_vec()\n ext4_convert_unwritten_extents()\n ext4_map_blocks()\n ext4_ext_map_blocks()\n ext4_ext_try_to_merge_up()\n __mark_inode_dirty()\n check !I_FREEING\n locked_inode_to_wb_and_lock_list()\n iput()\n iput_final()\n evict()\n ext4_evict_inode()\n truncate_inode_pages_final() //wait release io_end\n inode_io_list_move_locked()\n ext4_release_io_end()\n trigger WARN_ON_ONCE()"}], "id": "CVE-2022-50730", "lastModified": "2025-12-24T13:15:59.667", "metrics": {}, "published": "2025-12-24T13:15:59.667", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}