{"id":"CVE-2022-50381","summary":"md: fix a crash in mempool_free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix a crash in mempool_free\n\nThere's a crash in mempool_free when running the lvm test\nshell/lvchange-rebuild-raid.sh.\n\nThe reason for the crash is this:\n* super_written calls atomic_dec_and_test(&mddev-\u003epending_writes) and\n  wake_up(&mddev-\u003esb_wait). Then it calls rdev_dec_pending(rdev, mddev)\n  and bio_put(bio).\n* so, the process that waited on sb_wait and that is woken up is racing\n  with bio_put(bio).\n* if the process wins the race, it calls bioset_exit before bio_put(bio)\n  is executed.\n* bio_put(bio) attempts to free a bio into a destroyed bio set - causing\n  a crash in mempool_free.\n\nWe fix this bug by moving bio_put before atomic_dec_and_test.\n\nWe also move rdev_dec_pending before atomic_dec_and_test as suggested by\nNeil Brown.\n\nThe function md_end_flush has a similar bug - we must call bio_put before\nwe decrement the number of in-progress bios.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 11557f0067 P4D 11557f0067 PUD 0\n Oops: 0002 [#1] PREEMPT SMP\n CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Workqueue: kdelayd flush_expired_bios [dm_delay]\n RIP: 0010:mempool_free+0x47/0x80\n Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 \u003c48\u003e 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00\n RSP: 0018:ffff88910036bda8 EFLAGS: 00010093\n RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8\n RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900\n R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000\n R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05\n FS:  0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0\n Call Trace:\n  \u003cTASK\u003e\n  clone_endio+0xf4/0x1c0 [dm_mod]\n  clone_endio+0xf4/0x1c0 [dm_mod]\n  __submit_bio+0x76/0x120\n  submit_bio_noacct_nocheck+0xb6/0x2a0\n  flush_expired_bios+0x28/0x2f [dm_delay]\n  process_one_work+0x1b4/0x300\n  worker_thread+0x45/0x3e0\n  ? rescuer_thread+0x380/0x380\n  kthread+0xc2/0x100\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x1f/0x30\n  \u003c/TASK\u003e\n Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---","modified":"2026-04-02T08:28:27.791113Z","published":"2025-09-18T13:33:03.439Z","related":["SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4315-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50381.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/341097ee53573e06ab9fc675d96a052385b851fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/384ef33d37cefb2ac539d44597d03f06c9b8975c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/732cd66ec19a17f2b9183d7d5b7bdb9c39b0776e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/842f222fc42a9239831e15b1fd49a51c546902cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/91bd504128a51776472445070e11a3b0f9348c90"},{"type":"WEB","url":"https://git.kernel.org/stable/c/97ce99984be12b9acb49ddce0f5d8ebb037adbb6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae7793027766491c5f8635b12d15a5940d3b8698"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b5be563b4356b3089b3245d024cae3f248ba7090"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf06b162f5b6337b688072a1a47941280b8f7110"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50381.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50381"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f8b58edf3acf0dcc186b8330939000ecf709368a"},{"fixed":"732cd66ec19a17f2b9183d7d5b7bdb9c39b0776e"},{"fixed":"cf06b162f5b6337b688072a1a47941280b8f7110"},{"fixed":"b5be563b4356b3089b3245d024cae3f248ba7090"},{"fixed":"384ef33d37cefb2ac539d44597d03f06c9b8975c"},{"fixed":"ae7793027766491c5f8635b12d15a5940d3b8698"},{"fixed":"91bd504128a51776472445070e11a3b0f9348c90"},{"fixed":"842f222fc42a9239831e15b1fd49a51c546902cb"},{"fixed":"97ce99984be12b9acb49ddce0f5d8ebb037adbb6"},{"fixed":"341097ee53573e06ab9fc675d96a052385b851fa"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50381.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}