{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49266","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.297Z","datePublished":"2025-02-26T01:56:15.709Z","dateUpdated":"2025-08-28T14:42:36.939Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-08-28T14:42:36.939Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix rq-qos breakage from skipping rq_qos_done_bio()\n\na647a524a467 (\"block: don't call rq_qos_ops->done_bio if the bio isn't\ntracked\") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.\nWhile this fixed a potential oops, it also broke blk-iocost by skipping the\ndone_bio callback for merged bios.\n\nBefore, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),\nrq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED\ndistinguishing the former from the latter. rq_qos_done_bio() is not called\nfor bios which wenth through rq_qos_merge(). This royally confuses\nblk-iocost as the merged bios never finish and are considered perpetually\nin-flight.\n\nOne reliably reproducible failure mode is an intermediate cgroup geting\nstuck active preventing its children from being activated due to the\nleaf-only rule, leading to loss of control. The following is from\nresctl-bench protection scenario which emulates isolating a web server like\nworkload from a memory bomb run on an iocost configuration which should\nyield a reasonable level of protection.\n\n  # cat /sys/block/nvme2n1/device/model\n  Samsung SSD 970 PRO 512GB\n  # cat /sys/fs/cgroup/io.cost.model\n  259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025\n  # cat /sys/fs/cgroup/io.cost.qos\n  259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00\n  # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n  ...\n  Memory Hog Summary\n  ==================\n\n  IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m\n              W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m\n\n  Isolation and Request Latency Impact Distributions:\n\n                min   p01   p05   p10   p25   p50   p75   p90   p95   p99   max  mean stdev\n  isol%       15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82\n  lat-imp%        0     0     0     0     0  4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6\n\n  Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%\n\nThe isolation result of 58.12% is close to what this device would show\nwithout any IO control.\n\nFix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and\ncalling rq_qos_done_bio() on them too. For consistency and clarity, rename\nBIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into\nrq_qos_done_bio() so that it's next to the code paths that set the flags.\n\nWith the patch applied, the above same benchmark shows:\n\n  # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n  ...\n  Memory Hog Summary\n  ==================\n\n  IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m\n              W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m\n\n  Isolation and Request Latency Impact Distributions:\n\n                min   p01   p05   p10   p25   p50   p75   p90   p95   p99   max  mean stdev\n  isol%       84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42  2.81\n  lat-imp%        0     0     0     0     0  2.81  5.73 11.11 13.92 17.53 22.61  4.10  4.68\n\n  Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bio.c","block/blk-iolatency.c","block/blk-rq-qos.h","include/linux/blk_types.h"],"versions":[{"version":"a647a524a46736786c95cdb553a070322ca096e3","lessThan":"af9452dfdba4bf7359ef7645eee2d243a1df0649","status":"affected","versionType":"git"},{"version":"a647a524a46736786c95cdb553a070322ca096e3","lessThan":"dbd20bb904ad5731aaca8d009367a930d6ada111","status":"affected","versionType":"git"},{"version":"a647a524a46736786c95cdb553a070322ca096e3","lessThan":"09737db4c891eba25e6f6383a7c38afd4acc883f","status":"affected","versionType":"git"},{"version":"a647a524a46736786c95cdb553a070322ca096e3","lessThan":"aa1b46dcdc7baaf5fec0be25782ef24b26aa209e","status":"affected","versionType":"git"},{"version":"db60edbfff332a6a5477c367af8125f034570989","status":"affected","versionType":"git"},{"version":"004b8f8a691205a93d9e80d98b786b2b97424d6e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bio.c","block/blk-iolatency.c","block/blk-rq-qos.h","include/linux/blk_types.h"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.15.54","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/af9452dfdba4bf7359ef7645eee2d243a1df0649"},{"url":"https://git.kernel.org/stable/c/dbd20bb904ad5731aaca8d009367a930d6ada111"},{"url":"https://git.kernel.org/stable/c/09737db4c891eba25e6f6383a7c38afd4acc883f"},{"url":"https://git.kernel.org/stable/c/aa1b46dcdc7baaf5fec0be25782ef24b26aa209e"}],"title":"block: fix rq-qos breakage from skipping rq_qos_done_bio()","x_generator":{"engine":"bippy-1.2.0"}}}}