CVE-2022-50488

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50488
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50488.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50488
Downstream
Related
Published
2025-10-04T15:43:42.352Z
Modified
2026-03-20T11:47:29.973292Z
Summary
block, bfq: fix possible uaf for 'bfqq->bic'
Details

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix possible uaf for 'bfqq->bic'

Our test report a uaf for 'bfqq->bic' in 5.10:

================================================================== BUG: KASAN: use-after-free in bfqselectqueue+0x378/0xa30

CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x8664 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320160524-szxrtosci10000 04/01/2014 Call Trace: bfqselectqueue+0x378/0xa30 bfqdispatchrequest+0xe8/0x130 blkmqdodispatchsched+0x62/0xb0 __blkmqscheddispatchrequests+0x215/0x2a0 blkmqscheddispatchrequests+0x8f/0xd0 __blkmqrunhwqueue+0x98/0x180 __blkmqdelay_runhwqueue+0x22b/0x240 blkmqrunhwqueue+0xe3/0x190 blkmqschedinsertrequests+0x107/0x200 blkmqflushpluglist+0x26e/0x3c0 blkfinishplug+0x63/0x90 __iomapdiorw+0x7b5/0x910 iomapdiorw+0x36/0x80 ext4dioreaditer+0x146/0x190 [ext4] ext4filereaditer+0x1e2/0x230 [ext4] newsyncread+0x29f/0x400 vfsread+0x24e/0x2d0 ksysread+0xd5/0x1b0 dosyscall64+0x33/0x40 entrySYSCALL64afterhwframe+0x61/0xc6

Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic:

1) Initial state, two process with io in the same cgroup.

Process 1 Process 2 (BIC1) (BIC2) | Λ | Λ | | | | V | V | bfqq1 bfqq2

2) bfqq1 is merged to bfqq2.

Process 1 Process 2 (BIC1) (BIC2) | | -------------\| V bfqq1 bfqq2(coop)

3) Process 1 exit, then issue new io(denoce IOA) from Process 2.

(BIC2) | Λ | | V | bfqq2(coop)

4) Before IOA is completed, move Process 2 to another cgroup and issue io.

Process 2 (BIC2) Λ |--------------\ | V bfqq2 bfqq3

Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2.

Fix the problem by clearing bfqq->bic while bfqq is detached from bic.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50488.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4dfc12f8c94c8052e975060f595938f75e8b7165
Fixed
5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
81b7d0c717a487ec50e2924a773ff501ee40f0d5
Fixed
094f3d9314d67691cb21ba091c1b528f6e3c4893
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3bc5e683c67d94bd839a1da2e796c15847b51b69
Fixed
b22fd72bfebda3956efc4431b60ddfc0a51e03e0
Fixed
761564d93c8265f65543acf0a576b32d66bfa26a
Fixed
64dc8c732f5c2b406cc752e6aaa1bd5471159cab
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
31326bf551269fb9bafa84ca99172b8340e5d8f8
Last affected
43c51b86dbe551cff5d39b88aa2f41d29479f9c4
Last affected
8615f6c0c9e7cf0ca90b6b5408784d797cbe5621

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50488.json"