{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50488","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-04T15:13:33.468Z","datePublished":"2025-10-04T15:43:42.352Z","dateUpdated":"2026-05-11T19:20:26.632Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:20:26.632Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for 'bfqq->bic'\n\nOur test report a uaf for 'bfqq->bic' in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1       Process 2\n (BIC1)          (BIC2)\n  |  Λ            |  Λ\n  |  |            |  |\n  V  |            V  |\n  bfqq1           bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1       Process 2\n (BIC1)          (BIC2)\n  |               |\n   \\-------------\\|\n                  V\n  bfqq1           bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n  |  Λ\n  |  |\n  V  |\n  bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n   Λ\n   |\\--------------\\\n   |                V\n  bfqq2           bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq->bic while bfqq is detached from bic."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-iosched.c"],"versions":[{"version":"4dfc12f8c94c8052e975060f595938f75e8b7165","lessThan":"5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a","status":"affected","versionType":"git"},{"version":"81b7d0c717a487ec50e2924a773ff501ee40f0d5","lessThan":"094f3d9314d67691cb21ba091c1b528f6e3c4893","status":"affected","versionType":"git"},{"version":"3bc5e683c67d94bd839a1da2e796c15847b51b69","lessThan":"b22fd72bfebda3956efc4431b60ddfc0a51e03e0","status":"affected","versionType":"git"},{"version":"3bc5e683c67d94bd839a1da2e796c15847b51b69","lessThan":"761564d93c8265f65543acf0a576b32d66bfa26a","status":"affected","versionType":"git"},{"version":"3bc5e683c67d94bd839a1da2e796c15847b51b69","lessThan":"64dc8c732f5c2b406cc752e6aaa1bd5471159cab","status":"affected","versionType":"git"},{"version":"31326bf551269fb9bafa84ca99172b8340e5d8f8","status":"affected","versionType":"git"},{"version":"43c51b86dbe551cff5d39b88aa2f41d29479f9c4","status":"affected","versionType":"git"},{"version":"8615f6c0c9e7cf0ca90b6b5408784d797cbe5621","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-iosched.c"],"versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","status":"unaffected","versionType":"semver"},{"version":"5.10.175","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.86","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.16","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.2","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.121","versionEndExcluding":"5.10.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.46","versionEndExcluding":"5.15.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.0.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.1.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"},{"url":"https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"},{"url":"https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"},{"url":"https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"},{"url":"https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"}],"title":"block, bfq: fix possible uaf for 'bfqq->bic'","x_generator":{"engine":"bippy-1.2.0"}}}}