{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()", "id" : "2425203", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425203" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1341", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()\nWhen running chunk-sized reads on disks with badblocks duplicate bio\nfree/puts are observed:\n=============================================================================\nBUG bio-200 (Not tainted): Object already free\n-----------------------------------------------------------------------------\nAllocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504\n__slab_alloc.constprop.0+0x5a/0xb0\nkmem_cache_alloc+0x31e/0x330\nmempool_alloc_slab+0x17/0x20\nmempool_alloc+0x100/0x2b0\nbio_alloc_bioset+0x181/0x460\ndo_mpage_readpage+0x776/0xd00\nmpage_readahead+0x166/0x320\nblkdev_readahead+0x15/0x20\nread_pages+0x13f/0x5f0\npage_cache_ra_unbounded+0x18d/0x220\nforce_page_cache_ra+0x181/0x1c0\npage_cache_sync_ra+0x65/0xb0\nfilemap_get_pages+0x1df/0xaf0\nfilemap_read+0x1e1/0x700\nblkdev_read_iter+0x1e5/0x330\nvfs_read+0x42a/0x570\nFreed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504\nkmem_cache_free+0x46d/0x490\nmempool_free_slab+0x17/0x20\nmempool_free+0x66/0x190\nbio_free+0x78/0x90\nbio_put+0x100/0x1a0\nraid5_make_request+0x2259/0x2450\nmd_handle_request+0x402/0x600\nmd_submit_bio+0xd9/0x120\n__submit_bio+0x11f/0x1b0\nsubmit_bio_noacct_nocheck+0x204/0x480\nsubmit_bio_noacct+0x32e/0xc70\nsubmit_bio+0x98/0x1a0\nmpage_readahead+0x250/0x320\nblkdev_readahead+0x15/0x20\nread_pages+0x13f/0x5f0\npage_cache_ra_unbounded+0x18d/0x220\nSlab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)\nCPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: raid5wq raid5_do_work\nCall Trace:\n\ndump_stack_lvl+0x5a/0x78\ndump_stack+0x10/0x16\nprint_trailer+0x158/0x165\nobject_err+0x35/0x50\nfree_debug_processing.cold+0xb7/0xbe\n__slab_free+0x1ae/0x330\nkmem_cache_free+0x46d/0x490\nmempool_free_slab+0x17/0x20\nmempool_free+0x66/0x190\nbio_free+0x78/0x90\nbio_put+0x100/0x1a0\nmpage_end_io+0x36/0x150\nbio_endio+0x2fd/0x360\nmd_end_io_acct+0x7e/0x90\nbio_endio+0x2fd/0x360\nhandle_failed_stripe+0x960/0xb80\nhandle_stripe+0x1348/0x3760\nhandle_active_stripes.constprop.0+0x72a/0xaf0\nraid5_do_work+0x177/0x330\nprocess_one_work+0x616/0xb20\nworker_thread+0x2bd/0x6f0\nkthread+0x179/0x1b0\nret_from_fork+0x22/0x30\n\nThe double free is caused by an unnecessary bio_put() in the\nif(is_badblock(...)) error path in raid5_read_one_chunk().\nThe error path was moved ahead of bio_alloc_clone() in c82aa1b76787c\n(\"md/raid5: move checking badblock before clone bio in\nraid5_read_one_chunk\"). The previous code checked and freed align_bio\nwhich required a bio_put. After the move that is no longer needed as\nraid_bio is returned to the control of the common io path which\nperforms its own endio resulting in a double free on bad device blocks.", "A double-free vulnerability was found in the Linux kernel's MD RAID5 driver. In raid5_read_one_chunk(), when encountering badblocks during chunk-sized reads, an unnecessary bio_put() is called. Since the bio is also freed by the common I/O completion path, this results in a double-free condition that can cause kernel crashes and memory corruption." ], "statement" : "This flaw affects RAID5 arrays with disks that have recorded badblocks. The double-free occurs during read operations that encounter bad sectors, which triggers the error path containing the extraneous bio_put(). Systems using MD RAID5 with degraded or failing disks are more likely to encounter this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-16T00:00:00Z", "advisory" : "RHSA-2023:2951", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-477.10.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50752\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50752\nhttps://lore.kernel.org/linux-cve-announce/2025122452-CVE-2022-50752-fa82@gregkh/T" ], "name" : "CVE-2022-50752", "csaw" : false }