CVE-2022-50388
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50388
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50388.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50388
- Downstream
- Related
- Published
- 2025-09-18T13:33:08Z
- Modified
- 2025-10-21T13:13:47.218707Z
- Summary
- nvme: fix multipath crash caused by flush request when blktrace is enabled
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix multipath crash caused by flush request when blktrace is enabled
The flush request initialized by blkkickflush has NULL bio, and it may be dealt with nvmeendreq during io completion. When blktrace is enabled, nvmetracebio_complete with multipath activated trying to access NULL pointer bio from flush request results in the following crash:
[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a [ 2517.835213] #PF: supervisor read access in kernel mode [ 2517.838724] #PF: errorcode(0x0000) - not-present page [ 2517.842222] PGD 7b2d51067 P4D 0 [ 2517.845684] Oops: 0000 [#1] SMP NOPTI [ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x8664 #1 [ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022 [ 2517.856358] Workqueue: nvmetcpwq nvmetcpiowork [nvmetcp] [ 2517.859993] RIP: 0010:blkaddtracebiocomplete+0x6/0x30 [ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba [ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286 [ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000 [ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000 [ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000 [ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8 [ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018 [ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000 [ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0 [ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2517.913761] PKRU: 55555554 [ 2517.917558] Call Trace: [ 2517.921294] <TASK> [ 2517.924982] nvmecompleterq+0x1c3/0x1e0 [nvmecore] [ 2517.928715] nvmetcprecvpdu+0x4d7/0x540 [nvmetcp] [ 2517.932442] nvmetcprecvskb+0x4f/0x240 [nvmetcp] [ 2517.936137] ? nvmetcprecvpdu+0x540/0x540 [nvmetcp] [ 2517.939830] tcpreadsock+0x9c/0x260 [ 2517.943486] nvmetcptryrecv+0x65/0xa0 [nvmetcp] [ 2517.947173] nvmetcpiowork+0x64/0x90 [nvmetcp] [ 2517.950834] processonework+0x1e8/0x390 [ 2517.954473] workerthread+0x53/0x3c0 [ 2517.958069] ? processonework+0x390/0x390 [ 2517.961655] kthread+0x10c/0x130 [ 2517.965211] ? setkthreadstruct+0x40/0x40 [ 2517.968760] retfromfork+0x1f/0x30 [ 2517.972285] </TASK>
To avoid this situation, add a NULL check for req->bio before calling traceblockbio_complete.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/183c2aaef40a91acbaae45c3824d6cde7bb62b10
- https://git.kernel.org/stable/c/3659fb5ac29a5e6102bebe494ac789fd47fb78f4
- https://git.kernel.org/stable/c/4df413d46960f11c8c105238cfc3f5ff4c95c003
- https://git.kernel.org/stable/c/f13301a69ababa6c2236fb4f0393b7e914e7e1e0
- https://git.kernel.org/stable/c/fcd2d199486033223e9b2a6a7f9a01dd0327eac3
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35fe0d12c8a3d5e45f297562732ddc9ba9dc58ddFixedf13301a69ababa6c2236fb4f0393b7e914e7e1e0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35fe0d12c8a3d5e45f297562732ddc9ba9dc58ddFixed4df413d46960f11c8c105238cfc3f5ff4c95c003
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35fe0d12c8a3d5e45f297562732ddc9ba9dc58ddFixedfcd2d199486033223e9b2a6a7f9a01dd0327eac3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35fe0d12c8a3d5e45f297562732ddc9ba9dc58ddFixed183c2aaef40a91acbaae45c3824d6cde7bb62b10
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35fe0d12c8a3d5e45f297562732ddc9ba9dc58ddFixed3659fb5ac29a5e6102bebe494ac789fd47fb78f4
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3659fb5ac29a5e6102bebe494ac789fd47fb78f4",
"id": "CVE-2022-50388-0a42f56a",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "28245241975244745283042385163772396046",
"length": 192.0
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h",
"function": "nvme_trace_bio_complete"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f13301a69ababa6c2236fb4f0393b7e914e7e1e0",
"id": "CVE-2022-50388-602c0092",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"279299363892276252943794702740885618754",
"256828504943835915439208668424940761944",
"329339592063984601246421991799035643915",
"235432595537818736950647662640560019087"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcd2d199486033223e9b2a6a7f9a01dd0327eac3",
"id": "CVE-2022-50388-63d23e38",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"273283542050846745615476744945897894197",
"256828504943835915439208668424940761944",
"329339592063984601246421991799035643915",
"280068349776630841430137921429794817301"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4df413d46960f11c8c105238cfc3f5ff4c95c003",
"id": "CVE-2022-50388-732f58b7",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "28245241975244745283042385163772396046",
"length": 192.0
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h",
"function": "nvme_trace_bio_complete"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f13301a69ababa6c2236fb4f0393b7e914e7e1e0",
"id": "CVE-2022-50388-b31de550",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "181263525163527539654304444201792456213",
"length": 206.0
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h",
"function": "nvme_trace_bio_complete"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcd2d199486033223e9b2a6a7f9a01dd0327eac3",
"id": "CVE-2022-50388-c8151d12",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "28245241975244745283042385163772396046",
"length": 192.0
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h",
"function": "nvme_trace_bio_complete"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@183c2aaef40a91acbaae45c3824d6cde7bb62b10",
"id": "CVE-2022-50388-d537bda8",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"273283542050846745615476744945897894197",
"256828504943835915439208668424940761944",
"329339592063984601246421991799035643915",
"280068349776630841430137921429794817301"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3659fb5ac29a5e6102bebe494ac789fd47fb78f4",
"id": "CVE-2022-50388-e6a96172",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"273283542050846745615476744945897894197",
"256828504943835915439208668424940761944",
"329339592063984601246421991799035643915",
"280068349776630841430137921429794817301"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4df413d46960f11c8c105238cfc3f5ff4c95c003",
"id": "CVE-2022-50388-eedbddbd",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"273283542050846745615476744945897894197",
"256828504943835915439208668424940761944",
"329339592063984601246421991799035643915",
"235432595537818736950647662640560019087"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@183c2aaef40a91acbaae45c3824d6cde7bb62b10",
"id": "CVE-2022-50388-feacc7d4",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "28245241975244745283042385163772396046",
"length": 192.0
},
"deprecated": false,
"target": {
"file": "drivers/nvme/host/nvme.h",
"function": "nvme_trace_bio_complete"
}
}
]