{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50782","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T13:02:21.548Z","datePublished":"2025-12-24T13:06:09.914Z","dateUpdated":"2026-05-11T19:25:26.436Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:25:26.436Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad quota inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:202!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ext4_es_cache_extent+0xe2/0x210\n  ext4_cache_extents+0xd2/0x110\n  ext4_find_extent+0x5d5/0x8c0\n  ext4_ext_map_blocks+0x9c/0x1d30\n  ext4_map_blocks+0x431/0xa50\n  ext4_getblk+0x82/0x340\n  ext4_bread+0x14/0x110\n  ext4_quota_read+0xf0/0x180\n  v2_read_header+0x24/0x90\n  v2_check_quota_file+0x2f/0xa0\n  dquot_load_quota_sb+0x26c/0x760\n  dquot_load_quota_inode+0xa5/0x190\n  ext4_enable_quotas+0x14c/0x300\n  __ext4_fill_super+0x31cc/0x32c0\n  ext4_fill_super+0x115/0x2d0\n  get_tree_bdev+0x1d2/0x360\n  ext4_get_tree+0x19/0x30\n  vfs_get_tree+0x26/0xe0\n  path_mount+0x81d/0xfc0\n  do_mount+0x8d/0xc0\n  __x64_sys_mount+0xc0/0x160\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  </TASK>\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n  ext4_enable_quotas\n   ext4_quota_enable\n    ext4_iget --> get error inode <5>\n     ext4_ext_check_inode --> Wrong imode makes it escape inspection\n     make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode\n    dquot_load_quota_inode\n     vfs_setup_quota_inode --> check pass\n     dquot_load_quota_sb\n      v2_check_quota_file\n       v2_read_header\n        ext4_quota_read\n         ext4_bread\n          ext4_getblk\n           ext4_map_blocks\n            ext4_ext_map_blocks\n             ext4_find_extent\n              ext4_cache_extents\n               ext4_es_cache_extent\n                __es_tree_search.isra.0\n                 ext4_es_end --> Wrong extents trigger BUG_ON\n\nIn the above issue, s_usr_quota_inum is set to 5, but inode<5> contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/quota/dquot.c"],"versions":[{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"1d5524832ff204b8a8cd54ae1628b2122f6e9a8d","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"98004f926d27eaccdd2d336b7916a42e07392da1","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"0dcbf4dc3d54aab5990952cfd832042fb300dbe3","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"794c9175db1f2e5d2a28c326f10bd024dbd944f8","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"1daff79463d7d76096c84c57cddc30c5d4be2226","status":"affected","versionType":"git"},{"version":"393d1d1d76933886d5e1ce603214c9987589c6d5","lessThan":"d323877484765aaacbb2769b06e355c2041ed115","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/quota/dquot.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.163","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.87","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.18","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1.4","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.10.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.15.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.0.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3"},{"url":"https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d"},{"url":"https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1"},{"url":"https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3"},{"url":"https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8"},{"url":"https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226"},{"url":"https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115"}],"title":"ext4: fix bug_on in __es_tree_search caused by bad quota inode","x_generator":{"engine":"bippy-1.2.0"}}}}