CVE-2022-49266

{"id": "CVE-2022-49266", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:03.527", "references": [{"url": "https://git.kernel.org/stable/c/09737db4c891eba25e6f6383a7c38afd4acc883f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa1b46dcdc7baaf5fec0be25782ef24b26aa209e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af9452dfdba4bf7359ef7645eee2d243a1df0649", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dbd20bb904ad5731aaca8d009367a930d6ada111", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix rq-qos breakage from skipping rq_qos_done_bio()\n\na647a524a467 (\"block: don't call rq_qos_ops->done_bio if the bio isn't\ntracked\") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.\nWhile this fixed a potential oops, it also broke blk-iocost by skipping the\ndone_bio callback for merged bios.\n\nBefore, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),\nrq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED\ndistinguishing the former from the latter. rq_qos_done_bio() is not called\nfor bios which wenth through rq_qos_merge(). This royally confuses\nblk-iocost as the merged bios never finish and are considered perpetually\nin-flight.\n\nOne reliably reproducible failure mode is an intermediate cgroup geting\nstuck active preventing its children from being activated due to the\nleaf-only rule, leading to loss of control. The following is from\nresctl-bench protection scenario which emulates isolating a web server like\nworkload from a memory bomb run on an iocost configuration which should\nyield a reasonable level of protection.\n\n # cat /sys/block/nvme2n1/device/model\n Samsung SSD 970 PRO 512GB\n # cat /sys/fs/cgroup/io.cost.model\n 259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025\n # cat /sys/fs/cgroup/io.cost.qos\n 259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m\n W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82\n lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6\n\n Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%\n\nThe isolation result of 58.12% is close to what this device would show\nwithout any IO control.\n\nFix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and\ncalling rq_qos_done_bio() on them too. For consistency and clarity, rename\nBIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into\nrq_qos_done_bio() so that it's next to the code paths that set the flags.\n\nWith the patch applied, the above same benchmark shows:\n\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m\n W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81\n lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68\n\n Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: block: fix rq-qos breakage from skipping rq_qos_done_bio() a647a524a467 (\"block: don't call rq_qos_ops->done_bio if the bio isn't tracked\") hizo que bio_endio() saltara rq_qos_done_bio() si BIO_TRACKED no est\u00e1 configurado. Si bien esto solucion\u00f3 un posible error, tambi\u00e9n rompi\u00f3 blk-iocost al saltarse la devoluci\u00f3n de llamada done_bio para bios fusionados. Antes, ya sea que una bio pase por rq_qos_throttle() o rq_qos_merge(), rq_qos_done_bio() se llamar\u00eda en la bio al completarse con BIO_TRACKED distinguiendo la primera de la segunda. rq_qos_done_bio() no se llama para bios que pasaron por rq_qos_merge(). Esto confunde mucho a blk-iocost, ya que las bios fusionadas nunca terminan y se consideran en constante funcionamiento. Un modo de falla reproducible de manera confiable es un cgroup intermedio que se queda bloqueado en modo activo, lo que impide que sus hijos se activen debido a la regla de solo hojas, lo que lleva a la p\u00e9rdida de control. Lo siguiente es del escenario de protecci\u00f3n de resctl-bench que emula el aislamiento de una carga de trabajo similar a la de un servidor web de una bomba de memoria ejecutada en una configuraci\u00f3n de iocost que deber\u00eda producir un nivel razonable de protecci\u00f3n. # cat /sys/block/nvme2n1/device/model Samsung SSD 970 PRO 512GB # cat /sys/fs/cgroup/io.cost.model 259:0 ctrl=usuario model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025 # cat /sys/fs/cgroup/io.cost.qos 259:0 enable=1 ctrl=usuario rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 m\u00edn=60.00 m\u00e1x=100.00 # resctl-bench -m 29.6G -r out.json ejecutar protection::scenario=mem-hog,loops=1 ... Resumen de acaparadores de memoria ================== Latencia de E/S: R p50=242u:336u/2,5 m p90=794u:1,4 m/7,5 m p99=2,7 m:8,0 m/62,5 m m\u00e1x.=8,0 m:36,4 m/350 m W p50=221u:323u/1,5 m p90=709u:1,2 m/5,5 m p99=1,5 m:2,5 m/9,5 m m\u00e1x.=6,9 m:35,9 m/350 m Distribuciones del impacto de latencia de solicitud y aislamiento: m\u00edn. p01 p05 p10 p25 p50 p75 p90 p95 p99 m\u00e1x. media desviaci\u00f3n est\u00e1ndar isol% 15,90 15,90 15,90 40,05 57,24 59,07 60,01 74,63 74,63 90,35 90,35 58,12 15,82 lat-imp% 0 0 0 0 0 4,55 14,68 15,54 233,5 548,1 548,1 53,88 143,6 Resultado: isol=58,12:15,82% lat_imp=53,88%:143,6 work_csv=100,0% missing=3,96% El resultado de aislamiento de 58,12% es cercano a lo que este dispositivo mostrar\u00eda sin ning\u00fan control de E/S. Arr\u00e9glelo introduciendo una nueva bandera BIO_QOS_MERGED para marcar las bios fusionadas y llamando a rq_qos_done_bio() en ellas tambi\u00e9n. Para mayor coherencia y claridad, cambie el nombre de BIO_TRACKED a BIO_QOS_THROTTLED. Las comprobaciones de banderas se mueven a rq_qos_done_bio() para que est\u00e9n junto a las rutas de c\u00f3digo que establecen las banderas. Con el parche aplicado, el mismo punto de referencia anterior muestra: # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1 ... Resumen de acaparamiento de memoria ================== Latencia de E/S: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m m\u00e1x.=11.1m:36.0m/350m W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m m\u00e1x.=7.9m:5.9m/26.5m Distribuciones de impacto de latencia de solicitud y aislamiento: min p01 p05 p10 p25 p50 p75 p90 p95 p99 media m\u00e1xima desviaci\u00f3n est\u00e1ndar isol% 84,91 84,91 89,51 90,73 92,31 94,49 96,36 98,04 98,71 100,0 100,0 94,42 2,81 lat-imp% 0 0 0 0 0 2,81 5,73 11,11 13,92 17,53 22,61 4,10 4,68 Resultado: isol=94,42:2,81% lat_imp=4,10%:4,68 work_csv=58,34% missing=0%"}], "lastModified": "2025-10-21T11:50:13.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC16C741-04D3-418A-87C6-8EE23F15B67C", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.241"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C67C5EC-7ED4-407D-9800-198B7F076D0F", "versionEndExcluding": "5.15", "versionStartIncluding": "5.14.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D89FEC10-B807-40F2-8448-B75153A7B3AD", "versionEndExcluding": "5.15.54", "versionStartIncluding": "5.15.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40D9C0D1-0F32-4A2B-9840-1072F5497540"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF55383D-4DF2-45DC-93F7-571F4F978EAB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E9481B2-8AA6-4CBD-B5D3-C10F51FF6D01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBD45831-4B79-42BC-ABC0-86870F0DEA89"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "948A6B8D-1B72-4945-8680-354E53BE1C80"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}