CVE-2022-50488

HIGH

Linux Kernel 5.4.198-5.4.x - Use-After-Free in BFQ Scheduler via bfqq->bic Reference

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible uaf for 'bfqq->bic' Our test report a uaf for 'bfqq->bic' in 5.10: ================================================================== BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 Call Trace: bfq_select_queue+0x378/0xa30 bfq_dispatch_request+0xe8/0x130 blk_mq_do_dispatch_sched+0x62/0xb0 __blk_mq_sched_dispatch_requests+0x215/0x2a0 blk_mq_sched_dispatch_requests+0x8f/0xd0 __blk_mq_run_hw_queue+0x98/0x180 __blk_mq_delay_run_hw_queue+0x22b/0x240 blk_mq_run_hw_queue+0xe3/0x190 blk_mq_sched_insert_requests+0x107/0x200 blk_mq_flush_plug_list+0x26e/0x3c0 blk_finish_plug+0x63/0x90 __iomap_dio_rw+0x7b5/0x910 iomap_dio_rw+0x36/0x80 ext4_dio_read_iter+0x146/0x190 [ext4] ext4_file_read_iter+0x1e2/0x230 [ext4] new_sync_read+0x29f/0x400 vfs_read+0x24e/0x2d0 ksys_read+0xd5/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic: 1) Initial state, two process with io in the same cgroup. Process 1 Process 2 (BIC1) (BIC2) | Λ | Λ | | | | V | V | bfqq1 bfqq2 2) bfqq1 is merged to bfqq2. Process 1 Process 2 (BIC1) (BIC2) | | \-------------\| V bfqq1 bfqq2(coop) 3) Process 1 exit, then issue new io(denoce IOA) from Process 2. (BIC2) | Λ | | V | bfqq2(coop) 4) Before IOA is completed, move Process 2 to another cgroup and issue io. Process 2 (BIC2) Λ |\--------------\ | V bfqq2 bfqq3 Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2. Fix the problem by clearing bfqq->bic while bfqq is detached from bic.

References (5)

Core 5

Core References

Patch

https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a

Patch

https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893

Patch

https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0

Patch

https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a

Patch

https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab

Scores

CVSS v3 7.8

EPSS 0.0015

EPSS Percentile 4.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (21)

Linux/Linux < 5.19

Linux/Linux 31326bf551269fb9bafa84ca99172b8340e5d8f8

Linux/Linux 3bc5e683c67d94bd839a1da2e796c15847b51b69 - 64dc8c732f5c2b406cc752e6aaa1bd5471159cab

Linux/Linux 3bc5e683c67d94bd839a1da2e796c15847b51b69 - 761564d93c8265f65543acf0a576b32d66bfa26a

Linux/Linux 3bc5e683c67d94bd839a1da2e796c15847b51b69 - b22fd72bfebda3956efc4431b60ddfc0a51e03e0

Linux/Linux 43c51b86dbe551cff5d39b88aa2f41d29479f9c4

Linux/Linux 4dfc12f8c94c8052e975060f595938f75e8b7165 - 5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a

Linux/Linux 5.10.121 - 5.10.175

Linux/Linux 5.10.175 - 5.10.*

Linux/Linux 5.15.46 - 5.15.86

... and 11 more

Published Oct 04, 2025

Tracked Since Feb 18, 2026