{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: md: fix a crash in mempool_free",
    "id" : "2396420",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396420"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd: fix a crash in mempool_free\nThere's a crash in mempool_free when running the lvm test\nshell/lvchange-rebuild-raid.sh.\nThe reason for the crash is this:\n* super_written calls atomic_dec_and_test(&mddev->pending_writes) and\nwake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)\nand bio_put(bio).\n* so, the process that waited on sb_wait and that is woken up is racing\nwith bio_put(bio).\n* if the process wins the race, it calls bioset_exit before bio_put(bio)\nis executed.\n* bio_put(bio) attempts to free a bio into a destroyed bio set - causing\na crash in mempool_free.\nWe fix this bug by moving bio_put before atomic_dec_and_test.\nWe also move rdev_dec_pending before atomic_dec_and_test as suggested by\nNeil Brown.\nThe function md_end_flush has a similar bug - we must call bio_put before\nwe decrement the number of in-progress bios.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 11557f0067 P4D 11557f0067 PUD 0\nOops: 0002 [#1] PREEMPT SMP\nCPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nWorkqueue: kdelayd flush_expired_bios [dm_delay]\nRIP: 0010:mempool_free+0x47/0x80\nCode: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00\nRSP: 0018:ffff88910036bda8 EFLAGS: 00010093\nRAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8\nRBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900\nR10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000\nR13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05\nFS:  0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0\nCall Trace:\n<TASK>\nclone_endio+0xf4/0x1c0 [dm_mod]\nclone_endio+0xf4/0x1c0 [dm_mod]\n__submit_bio+0x76/0x120\nsubmit_bio_noacct_nocheck+0xb6/0x2a0\nflush_expired_bios+0x28/0x2f [dm_delay]\nprocess_one_work+0x1b4/0x300\nworker_thread+0x45/0x3e0\n? rescuer_thread+0x380/0x380\nkthread+0xc2/0x100\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x1f/0x30\n</TASK>\nModules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]\nCR2: 0000000000000000\n---[ end trace 0000000000000000 ]---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50381\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50381\nhttps://lore.kernel.org/linux-cve-announce/2025091851-CVE-2022-50381-b83f@gregkh/T" ],
  "name" : "CVE-2022-50381",
  "csaw" : false
}