CVE-2022-50752

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()<br /> <br /> When running chunk-sized reads on disks with badblocks duplicate bio<br /> free/puts are observed:<br /> <br /> =============================================================================<br /> BUG bio-200 (Not tainted): Object already free<br /> -----------------------------------------------------------------------------<br /> Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504<br /> __slab_alloc.constprop.0+0x5a/0xb0<br /> kmem_cache_alloc+0x31e/0x330<br /> mempool_alloc_slab+0x17/0x20<br /> mempool_alloc+0x100/0x2b0<br /> bio_alloc_bioset+0x181/0x460<br /> do_mpage_readpage+0x776/0xd00<br /> mpage_readahead+0x166/0x320<br /> blkdev_readahead+0x15/0x20<br /> read_pages+0x13f/0x5f0<br /> page_cache_ra_unbounded+0x18d/0x220<br /> force_page_cache_ra+0x181/0x1c0<br /> page_cache_sync_ra+0x65/0xb0<br /> filemap_get_pages+0x1df/0xaf0<br /> filemap_read+0x1e1/0x700<br /> blkdev_read_iter+0x1e5/0x330<br /> vfs_read+0x42a/0x570<br /> Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504<br /> kmem_cache_free+0x46d/0x490<br /> mempool_free_slab+0x17/0x20<br /> mempool_free+0x66/0x190<br /> bio_free+0x78/0x90<br /> bio_put+0x100/0x1a0<br /> raid5_make_request+0x2259/0x2450<br /> md_handle_request+0x402/0x600<br /> md_submit_bio+0xd9/0x120<br /> __submit_bio+0x11f/0x1b0<br /> submit_bio_noacct_nocheck+0x204/0x480<br /> submit_bio_noacct+0x32e/0xc70<br /> submit_bio+0x98/0x1a0<br /> mpage_readahead+0x250/0x320<br /> blkdev_readahead+0x15/0x20<br /> read_pages+0x13f/0x5f0<br /> page_cache_ra_unbounded+0x18d/0x220<br /> Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)<br /> CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> Workqueue: raid5wq raid5_do_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5a/0x78<br /> dump_stack+0x10/0x16<br /> print_trailer+0x158/0x165<br /> object_err+0x35/0x50<br /> free_debug_processing.cold+0xb7/0xbe<br /> __slab_free+0x1ae/0x330<br /> kmem_cache_free+0x46d/0x490<br /> mempool_free_slab+0x17/0x20<br /> mempool_free+0x66/0x190<br /> bio_free+0x78/0x90<br /> bio_put+0x100/0x1a0<br /> mpage_end_io+0x36/0x150<br /> bio_endio+0x2fd/0x360<br /> md_end_io_acct+0x7e/0x90<br /> bio_endio+0x2fd/0x360<br /> handle_failed_stripe+0x960/0xb80<br /> handle_stripe+0x1348/0x3760<br /> handle_active_stripes.constprop.0+0x72a/0xaf0<br /> raid5_do_work+0x177/0x330<br /> process_one_work+0x616/0xb20<br /> worker_thread+0x2bd/0x6f0<br /> kthread+0x179/0x1b0<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> The double free is caused by an unnecessary bio_put() in the<br /> if(is_badblock(...)) error path in raid5_read_one_chunk().<br /> <br /> The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c<br /> ("md/raid5: move checking badblock before clone bio in<br /> raid5_read_one_chunk"). The previous code checked and freed align_bio<br /> which required a bio_put. After the move that is no longer needed as<br /> raid_bio is returned to the control of the common io path which<br /> performs its own endio resulting in a double free on bad device blocks.