CVE-2022-50752

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50752
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50752.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50752
Downstream
Related
Published
2025-12-24T13:05:46.881Z
Modified
2026-02-10T14:14:32.800314Z
Summary
md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
Details

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: Remove unnecessary bioput() in raid5readonechunk()

When running chunk-sized reads on disks with badblocks duplicate bio free/puts are observed:

============================================================================= BUG bio-200 (Not tainted): Object already free

Allocated in mempoolallocslab+0x17/0x20 age=3 cpu=2 pid=7504 _slaballoc.constprop.0+0x5a/0xb0 kmemcachealloc+0x31e/0x330 mempoolallocslab+0x17/0x20 mempoolalloc+0x100/0x2b0 bioallocbioset+0x181/0x460 dompagereadpage+0x776/0xd00 mpagereadahead+0x166/0x320 blkdevreadahead+0x15/0x20 readpages+0x13f/0x5f0 pagecacheraunbounded+0x18d/0x220 forcepagecachera+0x181/0x1c0 pagecachesyncra+0x65/0xb0 filemapgetpages+0x1df/0xaf0 filemapread+0x1e1/0x700 blkdevreaditer+0x1e5/0x330 vfsread+0x42a/0x570 Freed in mempoolfreeslab+0x17/0x20 age=3 cpu=2 pid=7504 kmemcachefree+0x46d/0x490 mempoolfreeslab+0x17/0x20 mempoolfree+0x66/0x190 biofree+0x78/0x90 bioput+0x100/0x1a0 raid5makerequest+0x2259/0x2450 mdhandlerequest+0x402/0x600 mdsubmitbio+0xd9/0x120 _submitbio+0x11f/0x1b0 submitbionoacctnocheck+0x204/0x480 submitbionoacct+0x32e/0xc70 submitbio+0x98/0x1a0 mpagereadahead+0x250/0x320 blkdevreadahead+0x15/0x20 readpages+0x13f/0x5f0 pagecacheraunbounded+0x18d/0x220 Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: raid5wq raid5dowork Call Trace: <TASK> dumpstacklvl+0x5a/0x78 dumpstack+0x10/0x16 printtrailer+0x158/0x165 objecterr+0x35/0x50 freedebugprocessing.cold+0xb7/0xbe _slabfree+0x1ae/0x330 kmemcachefree+0x46d/0x490 mempoolfreeslab+0x17/0x20 mempoolfree+0x66/0x190 biofree+0x78/0x90 bioput+0x100/0x1a0 mpageendio+0x36/0x150 bioendio+0x2fd/0x360 mdendioacct+0x7e/0x90 bioendio+0x2fd/0x360 handlefailedstripe+0x960/0xb80 handlestripe+0x1348/0x3760 handleactivestripes.constprop.0+0x72a/0xaf0 raid5dowork+0x177/0x330 processonework+0x616/0xb20 workerthread+0x2bd/0x6f0 kthread+0x179/0x1b0 retfrom_fork+0x22/0x30 </TASK>

The double free is caused by an unnecessary bioput() in the if(isbadblock(...)) error path in raid5readone_chunk().

The error path was moved ahead of bioallocclone() in c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5readonechunk"). The previous code checked and freed alignbio which required a bioput. After the move that is no longer needed as raidbio is returned to the control of the common io path which performs its own endio resulting in a double free on bad device blocks.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50752.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c82aa1b76787c34fd02374e519b6f52cdeb2f54b
Fixed
7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7
Fixed
c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf
Fixed
21a9c7354aa59e97e26ece5f0a609c8bfa43020d
Fixed
c66a6f41e09ad386fd2cce22b9cded837bbbc704

Affected versions

v5.*
v5.13
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.10
v5.19.11
v5.19.12
v5.19.13
v5.19.14
v5.19.15
v5.19.16
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50752.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.75
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.19.17
Type
ECOSYSTEM
Events
Introduced
5.20.0
Fixed
6.0.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50752.json"