CVE-2022-49465

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49465
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49465.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49465
Downstream
Related
Published
2025-02-26T02:13:10Z
Modified
2025-10-15T21:59:11.362686Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
blk-throttle: Set BIO_THROTTLED when bio has been throttled
Details

In the Linux kernel, the following vulnerability has been resolved:

blk-throttle: Set BIO_THROTTLED when bio has been throttled

1.In current process, all bio will set the BIOTHROTTLED flag after _blkthrotlbio().

2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blkthrotldispatchworkfn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow.

BUG: KASAN: use-after-free in blkthrotlbio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380

dumpstack+0x9b/0xce printaddressdescription.constprop.6+0x3e/0x60 kasanreport.cold.9+0x22/0x3a blkthrotlbio+0x12f0/0x2c70 submitbiochecks+0x701/0x1550 submitbionoacct+0x83/0xc80 submitbio+0xa7/0x330 mpagereadahead+0x380/0x500 readpages+0x1c1/0xbf0 pagecacheraunbounded+0x471/0x6f0 dopagecachera+0xda/0x110 ondemandreadahead+0x442/0xae0 pagecacheasyncra+0x210/0x300 genericfilebufferedread+0x4d9/0x2130 genericfilereaditer+0x315/0x490 blkdevreaditer+0x113/0x1b0 aioread+0x2ad/0x450 iosubmitone+0xc8e/0x1d60 _sesysiosubmit+0x125/0x350 dosyscall64+0x2d/0x40 entrySYSCALL64afterhwframe+0x44/0xa9

Allocated by task 26380: kasansavestack+0x19/0x40 _kasankmalloc.constprop.2+0xc1/0xd0 kmemcachealloc+0x146/0x440 mempoolalloc+0x125/0x2f0 bioallocbioset+0x353/0x590 mpagealloc+0x3b/0x240 dompagereadpage+0xddf/0x1ef0 mpagereadahead+0x264/0x500 readpages+0x1c1/0xbf0 pagecacheraunbounded+0x471/0x6f0 dopagecachera+0xda/0x110 ondemandreadahead+0x442/0xae0 pagecacheasyncra+0x210/0x300 genericfilebufferedread+0x4d9/0x2130 genericfilereaditer+0x315/0x490 blkdevreaditer+0x113/0x1b0 aioread+0x2ad/0x450 iosubmitone+0xc8e/0x1d60 _sesysiosubmit+0x125/0x350 dosyscall64+0x2d/0x40 entrySYSCALL64after_hwframe+0x44/0xa9

Freed by task 0: kasansavestack+0x19/0x40 kasansettrack+0x1c/0x30 kasansetfreeinfo+0x1b/0x30 _kasanslabfree+0x111/0x160 kmemcachefree+0x94/0x460 mempoolfree+0xd6/0x320 biofree+0xe0/0x130 bioput+0xab/0xe0 bioendio+0x3a6/0x5d0 blkupdaterequest+0x590/0x1370 scsiendrequest+0x7d/0x400 scsiiocompletion+0x1aa/0xe50 scsisoftirqdone+0x11b/0x240 blkmqcompleterequest+0xd4/0x120 scsimqdone+0xf0/0x200 virtscsivqdone+0xbc/0x150 vringinterrupt+0x179/0x390 _handleirqeventpercpu+0xf7/0x490 handleirqeventpercpu+0x7b/0x160 handleirqevent+0xcc/0x170 handleedgeirq+0x215/0xb20 commoninterrupt+0x60/0x120 asmcommoninterrupt+0x1e/0x40

Fix this by move BIOTHROTTLED set into the queuelock.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2a0f61e6ecd08d260054bde4b096ff207ce5350f
Fixed
0cfc8a0fb07cde61915e4a77c4794c47de3114a4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2a0f61e6ecd08d260054bde4b096ff207ce5350f
Fixed
935fa666534d7b7185e8c6b0191cd06281be4290
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2a0f61e6ecd08d260054bde4b096ff207ce5350f
Fixed
5a011f889b4832aa80c2a872a5aade5c48d2756f

Affected versions

v3.*

v3.10
v3.10-rc2
v3.10-rc3
v3.10-rc4
v3.10-rc5
v3.10-rc6
v3.10-rc7
v3.11
v3.11-rc1
v3.11-rc2
v3.11-rc3
v3.11-rc4
v3.11-rc5
v3.11-rc6
v3.11-rc7
v3.12
v3.12-rc1
v3.12-rc2
v3.12-rc3
v3.12-rc4
v3.12-rc5
v3.12-rc6
v3.12-rc7
v3.13
v3.13-rc1
v3.13-rc2
v3.13-rc3
v3.13-rc4
v3.13-rc5
v3.13-rc6
v3.13-rc7
v3.13-rc8
v3.14
v3.14-rc1
v3.14-rc2
v3.14-rc3
v3.14-rc4
v3.14-rc5
v3.14-rc6
v3.14-rc7
v3.14-rc8
v3.15
v3.15-rc1
v3.15-rc2
v3.15-rc3
v3.15-rc4
v3.15-rc5
v3.15-rc6
v3.15-rc7
v3.15-rc8
v3.16
v3.16-rc1
v3.16-rc2
v3.16-rc3
v3.16-rc4
v3.16-rc5
v3.16-rc6
v3.16-rc7
v3.17
v3.17-rc1
v3.17-rc2
v3.17-rc3
v3.17-rc4
v3.17-rc5
v3.17-rc6
v3.17-rc7
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7

v4.*

v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.11.0
Fixed
5.17.14
Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
5.18.3