{"id":"DEBIAN-CVE-2022-50488","details":"In the Linux kernel, the following vulnerability has been resolved:  block, bfq: fix possible uaf for 'bfqq-\u003ebic'  Our test report a uaf for 'bfqq-\u003ebic' in 5.10:  ================================================================== BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30  CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 Call Trace:  bfq_select_queue+0x378/0xa30  bfq_dispatch_request+0xe8/0x130  blk_mq_do_dispatch_sched+0x62/0xb0  __blk_mq_sched_dispatch_requests+0x215/0x2a0  blk_mq_sched_dispatch_requests+0x8f/0xd0  __blk_mq_run_hw_queue+0x98/0x180  __blk_mq_delay_run_hw_queue+0x22b/0x240  blk_mq_run_hw_queue+0xe3/0x190  blk_mq_sched_insert_requests+0x107/0x200  blk_mq_flush_plug_list+0x26e/0x3c0  blk_finish_plug+0x63/0x90  __iomap_dio_rw+0x7b5/0x910  iomap_dio_rw+0x36/0x80  ext4_dio_read_iter+0x146/0x190 [ext4]  ext4_file_read_iter+0x1e2/0x230 [ext4]  new_sync_read+0x29f/0x400  vfs_read+0x24e/0x2d0  ksys_read+0xd5/0x1b0  do_syscall_64+0x33/0x40  entry_SYSCALL_64_after_hwframe+0x61/0xc6  Commit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic:  1) Initial state, two process with io in the same cgroup.  Process 1       Process 2  (BIC1)          (BIC2)   |  Λ            |  Λ   |  |            |  |   V  |            V  |   bfqq1           bfqq2  2) bfqq1 is merged to bfqq2.  Process 1       Process 2  (BIC1)          (BIC2)   |               |    \\-------------\\|                   V   bfqq1           bfqq2(coop)  3) Process 1 exit, then issue new io(denoce IOA) from Process 2.   (BIC2)   |  Λ   |  |   V  |   bfqq2(coop)  4) Before IOA is completed, move Process 2 to another cgroup and issue io.  Process 2  (BIC2)    Λ    |\\--------------\\    |                V   bfqq2           bfqq3  Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2.  Fix the problem by clearing bfqq-\u003ebic while bfqq is detached from bic.","modified":"2026-01-27T11:15:55.225109Z","published":"2025-10-04T16:15:45.707Z","upstream":["CVE-2022-50488"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2022-50488"}],"affected":[{"package":{"name":"linux","ecosystem":"Debian:11","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.178-1"}]}],"versions":["5.10.103-1","5.10.103-1~bpo10+1","5.10.106-1","5.10.113-1","5.10.120-1","5.10.120-1~bpo10+1","5.10.127-1","5.10.127-2","5.10.127-2~bpo10+1","5.10.136-1","5.10.140-1","5.10.148-1","5.10.149-1","5.10.149-2","5.10.158-1","5.10.158-2","5.10.162-1","5.10.46-4","5.10.46-5","5.10.70-1","5.10.70-1~bpo10+1","5.10.84-1","5.10.92-1","5.10.92-1~bpo10+1","5.10.92-2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50488.json"}},{"package":{"name":"linux","ecosystem":"Debian:12","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.4-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50488.json"}},{"package":{"name":"linux","ecosystem":"Debian:13","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.4-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50488.json"}},{"package":{"name":"linux","ecosystem":"Debian:14","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.4-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50488.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}