{"id":"CVE-2022-50782","summary":"ext4: fix bug_on in __es_tree_search caused by bad quota inode","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad quota inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:202!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  \u003cTASK\u003e\n  ext4_es_cache_extent+0xe2/0x210\n  ext4_cache_extents+0xd2/0x110\n  ext4_find_extent+0x5d5/0x8c0\n  ext4_ext_map_blocks+0x9c/0x1d30\n  ext4_map_blocks+0x431/0xa50\n  ext4_getblk+0x82/0x340\n  ext4_bread+0x14/0x110\n  ext4_quota_read+0xf0/0x180\n  v2_read_header+0x24/0x90\n  v2_check_quota_file+0x2f/0xa0\n  dquot_load_quota_sb+0x26c/0x760\n  dquot_load_quota_inode+0xa5/0x190\n  ext4_enable_quotas+0x14c/0x300\n  __ext4_fill_super+0x31cc/0x32c0\n  ext4_fill_super+0x115/0x2d0\n  get_tree_bdev+0x1d2/0x360\n  ext4_get_tree+0x19/0x30\n  vfs_get_tree+0x26/0xe0\n  path_mount+0x81d/0xfc0\n  do_mount+0x8d/0xc0\n  __x64_sys_mount+0xc0/0x160\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  \u003c/TASK\u003e\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n  ext4_enable_quotas\n   ext4_quota_enable\n    ext4_iget --\u003e get error inode \u003c5\u003e\n     ext4_ext_check_inode --\u003e Wrong imode makes it escape inspection\n     make_bad_inode(inode) --\u003e EXT4_BOOT_LOADER_INO set imode\n    dquot_load_quota_inode\n     vfs_setup_quota_inode --\u003e check pass\n     dquot_load_quota_sb\n      v2_check_quota_file\n       v2_read_header\n        ext4_quota_read\n         ext4_bread\n          ext4_getblk\n           ext4_map_blocks\n            ext4_ext_map_blocks\n             ext4_find_extent\n              ext4_cache_extents\n               ext4_es_cache_extent\n                __es_tree_search.isra.0\n                 ext4_es_end --\u003e Wrong extents trigger BUG_ON\n\nIn the above issue, s_usr_quota_inum is set to 5, but inode\u003c5\u003e contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode().","modified":"2026-04-02T08:28:45.905867Z","published":"2025-12-24T13:06:09.914Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50782.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226"},{"type":"WEB","url":"https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50782.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50782"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"393d1d1d76933886d5e1ce603214c9987589c6d5"},{"fixed":"fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3"},{"fixed":"1d5524832ff204b8a8cd54ae1628b2122f6e9a8d"},{"fixed":"98004f926d27eaccdd2d336b7916a42e07392da1"},{"fixed":"0dcbf4dc3d54aab5990952cfd832042fb300dbe3"},{"fixed":"794c9175db1f2e5d2a28c326f10bd024dbd944f8"},{"fixed":"1daff79463d7d76096c84c57cddc30c5d4be2226"},{"fixed":"d323877484765aaacbb2769b06e355c2041ed115"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50782.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.10.0"},{"fixed":"4.19.270"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.229"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.163"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.87"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.18"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0"},{"fixed":"6.1.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50782.json"}}],"schema_version":"1.7.5"}