ghsa-pjqr-wv9q-gvhf
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

md-raid: destroy the bitmap after destroying the thread

When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with kasan, we got failure in write_page.

The reason for the failure is that md_bitmap_destroy is called before destroying the thread and the thread may be waiting in the function write_page for the bio to complete. When the thread finishes waiting, it executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which triggers the kasan warning.

Note that the commit 48df498daf62 that caused this bug claims that it is neede for md-cluster, you should check md-cluster and possibly find another bugfix for it.

BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539

CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x45/0x57a ? __lock_text_start+0x18/0x18 ? write_page+0x18d/0x680 [md_mod] kasan_report+0xa8/0xe0 ? write_page+0x18d/0x680 [md_mod] kasan_check_range+0x13f/0x180 write_page+0x18d/0x680 [md_mod] ? super_sync+0x4d5/0x560 [dm_raid] ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] ? mutex_trylock+0x120/0x120 ? preempt_count_add+0x6b/0xc0 ? preempt_count_sub+0xf/0xc0 md_update_sb+0x707/0xe40 [md_mod] md_reap_sync_thread+0x1b2/0x4a0 [md_mod] md_check_recovery+0x533/0x960 [md_mod] raid1d+0xc8/0x2a20 [raid1] ? var_wake_function+0xe0/0xe0 ? psi_group_change+0x411/0x500 ? preempt_count_sub+0xf/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? raid1_end_read_request+0x2a0/0x2a0 [raid1] ? preempt_count_sub+0xf/0xc0 ? _raw_spin_unlock_irqrestore+0x19/0x40 ? del_timer_sync+0xa9/0x100 ? try_to_del_timer_sync+0xc0/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? __list_del_entry_valid+0x68/0xa0 ? finish_wait+0xa3/0x100 md_thread+0x161/0x260 [md_mod] ? unregister_md_personality+0xa0/0xa0 [md_mod] ? _raw_spin_lock_irqsave+0x78/0xc0 ? prepare_to_wait_event+0x2c0/0x2c0 ? unregister_md_personality+0xa0/0xa0 [md_mod] kthread+0x148/0x180 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30

Allocated by task 5522: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x80/0xa0 md_bitmap_create+0xa8/0xe80 [md_mod] md_run+0x777/0x1300 [md_mod] raid_ctr+0x249c/0x4a30 [dm_raid] dm_table_add_target+0x2b0/0x620 [dm_mod] table_load+0x1c8/0x400 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 5680: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x40 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0xf7/0x140 kfree+0x80/0x240 md_bitmap_free+0x1c3/0x280 [md_mod] __md_stop+0x21/0x120 [md_mod] md_stop+0x9/0x40 [md_mod] raid_dtr+0x1b/0x40 [dm_raid] dm_table_destroy+0x98/0x1e0 [dm_mod] __dm_destroy+0x199/0x360 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50216"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:52Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-raid: destroy the bitmap after destroying the thread\n\nWhen we ran the lvm test \"shell/integrity-blocksize-3.sh\" on a kernel with\nkasan, we got failure in write_page.\n\nThe reason for the failure is that md_bitmap_destroy is called before\ndestroying the thread and the thread may be waiting in the function\nwrite_page for the bio to complete. When the thread finishes waiting, it\nexecutes \"if (test_bit(BITMAP_WRITE_ERROR, \u0026bitmap-\u003eflags))\", which\ntriggers the kasan warning.\n\nNote that the commit 48df498daf62 that caused this bug claims that it is\nneede for md-cluster, you should check md-cluster and possibly find\nanother bugfix for it.\n\nBUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod]\nRead of size 8 at addr ffff889162030c78 by task mdX_raid1/5539\n\nCPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x45/0x57a\n ? __lock_text_start+0x18/0x18\n ? write_page+0x18d/0x680 [md_mod]\n kasan_report+0xa8/0xe0\n ? write_page+0x18d/0x680 [md_mod]\n kasan_check_range+0x13f/0x180\n write_page+0x18d/0x680 [md_mod]\n ? super_sync+0x4d5/0x560 [dm_raid]\n ? md_bitmap_file_kick+0xa0/0xa0 [md_mod]\n ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid]\n ? mutex_trylock+0x120/0x120\n ? preempt_count_add+0x6b/0xc0\n ? preempt_count_sub+0xf/0xc0\n md_update_sb+0x707/0xe40 [md_mod]\n md_reap_sync_thread+0x1b2/0x4a0 [md_mod]\n md_check_recovery+0x533/0x960 [md_mod]\n raid1d+0xc8/0x2a20 [raid1]\n ? var_wake_function+0xe0/0xe0\n ? psi_group_change+0x411/0x500\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? raid1_end_read_request+0x2a0/0x2a0 [raid1]\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_unlock_irqrestore+0x19/0x40\n ? del_timer_sync+0xa9/0x100\n ? try_to_del_timer_sync+0xc0/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? __list_del_entry_valid+0x68/0xa0\n ? finish_wait+0xa3/0x100\n md_thread+0x161/0x260 [md_mod]\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? prepare_to_wait_event+0x2c0/0x2c0\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n kthread+0x148/0x180\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n\nAllocated by task 5522:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x80/0xa0\n md_bitmap_create+0xa8/0xe80 [md_mod]\n md_run+0x777/0x1300 [md_mod]\n raid_ctr+0x249c/0x4a30 [dm_raid]\n dm_table_add_target+0x2b0/0x620 [dm_mod]\n table_load+0x1c8/0x400 [dm_mod]\n ctl_ioctl+0x29e/0x560 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]\n __do_compat_sys_ioctl+0xfa/0x160\n do_syscall_64+0x90/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 5680:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x40\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0xf7/0x140\n kfree+0x80/0x240\n md_bitmap_free+0x1c3/0x280 [md_mod]\n __md_stop+0x21/0x120 [md_mod]\n md_stop+0x9/0x40 [md_mod]\n raid_dtr+0x1b/0x40 [dm_raid]\n dm_table_destroy+0x98/0x1e0 [dm_mod]\n __dm_destroy+0x199/0x360 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x29e/0x560 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]\n __do_compat_sys_ioctl+0xfa/0x160\n do_syscall_64+0x90/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0",
  "id": "GHSA-pjqr-wv9q-gvhf",
  "modified": "2025-06-18T12:30:56Z",
  "published": "2025-06-18T12:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50216"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f82027b6b74553f7fe8541c0a04bfbd3557fb11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5e4cdd4438787e008c1b4a23bb66e49f4b12417"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0bdaed154e5b9cc4310ddaf5da290483d00e6ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e151db8ecfb019b7da31d076130a794574c89f6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f192434601b9a1ef072b8ad631d6008fea578234"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.