CVE-2022-49394

{"id": "CVE-2022-49394", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:15.983", "references": [{"url": "https://git.kernel.org/stable/c/515d077ee3085ae343b6bea7fd031f9906645f38", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b0ff3ebbef791341695b718f8d2870869cf1d01", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77692c02e1517c54f2fd0535f41aa4286ac9f140", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8a177a36da6c54c98b8685d4f914cb3637d53c0d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/968f7a239c590454ffba79c126fbe0e963a0ba78", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a30acbb5dfb7bcc813ad6a18ca31011ac44e5547", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d19fa8f252000d141f9199ca32959c50314e1f05", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix inflight count imbalances and IO hangs on offline\n\niolatency needs to track the number of inflight IOs per cgroup. As this\ntracking can be expensive, it is disabled when no cgroup has iolatency\nconfigured for the device. To ensure that the inflight counters stay\nbalanced, iolatency_set_limit() freezes the request_queue while manipulating\nthe enabled counter, which ensures that no IO is in flight and thus all\ncounters are zero.\n\nUnfortunately, iolatency_set_limit() isn't the only place where the enabled\ncounter is manipulated. iolatency_pd_offline() can also dec the counter and\ntrigger disabling. As this disabling happens without freezing the q, this\ncan easily happen while some IOs are in flight and thus leak the counts.\n\nThis can be easily demonstrated by turning on iolatency on an one empty\ncgroup while IOs are in flight in other cgroups and then removing the\ncgroup. Note that iolatency shouldn't have been enabled elsewhere in the\nsystem to ensure that removing the cgroup disables iolatency for the whole\ndevice.\n\nThe following keeps flipping on and off iolatency on sda:\n\n echo +io > /sys/fs/cgroup/cgroup.subtree_control\n while true; do\n mkdir -p /sys/fs/cgroup/test\n echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency\n sleep 1\n rmdir /sys/fs/cgroup/test\n sleep 1\n done\n\nand there's concurrent fio generating direct rand reads:\n\n fio --name test --filename=/dev/sda --direct=1 --rw=randread \\\n --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k\n\nwhile monitoring with the following drgn script:\n\n while True:\n for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):\n for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):\n blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')\n pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]\n if pd.value_() == 0:\n continue\n iolat = container_of(pd, 'struct iolatency_grp', 'pd')\n inflight = iolat.rq_wait.inflight.counter.value_()\n if inflight:\n print(f'inflight={inflight} {disk_name(blkg.q.disk).decode(\"utf-8\")} '\n f'{cgroup_path(css.cgroup).decode(\"utf-8\")}')\n time.sleep(1)\n\nThe monitoring output looks like the following:\n\n inflight=1 sda /user.slice\n inflight=1 sda /user.slice\n ...\n inflight=14 sda /user.slice\n inflight=13 sda /user.slice\n inflight=17 sda /user.slice\n inflight=15 sda /user.slice\n inflight=18 sda /user.slice\n inflight=17 sda /user.slice\n inflight=20 sda /user.slice\n inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19\n inflight=19 sda /user.slice\n inflight=19 sda /user.slice\n\nIf a cgroup with stuck inflight ends up getting throttled, the throttled IOs\nwill never get issued as there's no completion event to wake it up leading\nto an indefinite hang.\n\nThis patch fixes the bug by unifying enable handling into a work item which\nis automatically kicked off from iolatency_set_min_lat_nsec() which is\ncalled from both iolatency_set_limit() and iolatency_pd_offline() paths.\nPunting to a work item is necessary as iolatency_pd_offline() is called\nunder spinlocks while freezing a request_queue requires a sleepable context.\n\nThis also simplifies the code reducing LOC sans the comments and avoids the\nunnecessary freezes which were happening whenever a cgroup's latency target\nis newly set or cleared."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-iolatency: corrige los desequilibrios de recuento en vuelo y los bloqueos de IO en modo sin conexi\u00f3n iolatency necesita rastrear la cantidad de IO en vuelo por cgroup. Como este seguimiento puede ser costoso, se deshabilita cuando ning\u00fan cgroup tiene iolatency configurado para el dispositivo. Para garantizar que los contadores en vuelo se mantengan equilibrados, iolatency_set_limit() congela la request_queue mientras manipula el contador habilitado, lo que garantiza que no haya IO en vuelo y, por lo tanto, todos los contadores sean cero. Desafortunadamente, iolatency_set_limit() no es el \u00fanico lugar donde se manipula el contador habilitado. iolatency_pd_offline() tambi\u00e9n puede dec el contador y activar la desactivaci\u00f3n. Como esta desactivaci\u00f3n ocurre sin congelar el q, esto puede suceder f\u00e1cilmente mientras algunas IO est\u00e1n en vuelo y, por lo tanto, filtrar los recuentos. Esto se puede demostrar f\u00e1cilmente activando iolatency en un cgroup vac\u00edo mientras los IO est\u00e1n en tr\u00e1nsito en otros cgroups y luego eliminando el cgroup. Tenga en cuenta que iolatency no deber\u00eda haberse habilitado en ninguna otra parte del sistema para garantizar que la eliminaci\u00f3n del cgroup deshabilite iolatency para todo el dispositivo. Lo siguiente sigue activando y desactivando iolatency on sda: echo +io &gt; /sys/fs/cgroup/cgroup.subtree_control while true; do mkdir -p /sys/fs/cgroup/test echo '8:0 target=100000' &gt; /sys/fs/cgroup/test/io.latency sleep 1 rmdir /sys/fs/cgroup/test sleep 1 done and there's concurrent fio generating direct rand reads: fio --name test --filename=/dev/sda --direct=1 --rw=randread \\ --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k while monitoring with the following drgn script: while True: for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()): for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list): blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node') pd = blkg.pd[prog['blkcg_policy_iolatency'].plid] if pd.value_() == 0: continue iolat = container_of(pd, 'struct iolatency_grp', 'pd') inflight = iolat.rq_wait.inflight.counter.value_() if inflight: print(f'inflight={inflight} {disk_name(blkg.q.disk).decode(\"utf-8\")} ' f'{cgroup_path(css.cgroup).decode(\"utf-8\")}') time.sleep(1) The monitoring output looks like the following: inflight=1 sda /user.slice inflight=1 sda /user.slice ... inflight=14 sda /user.slice inflight=13 sda /user.slice inflight=17 sda /user.slice inflight=15 sda /user.slice inflight=18 sda /user.slice inflight=17 sda /user.slice inflight=20 sda /user.slice inflight=19 sda /user.slice &lt;- fio stopped, inflight stuck at 19 inflight=19 sda /user.slice inflight=19 sda /user.slice Si un cgroup con inflight atascado termina siendo limitado, las IO limitadas nunca se emitir\u00e1n ya que no hay un evento de finalizaci\u00f3n para despertarlo, lo que genera un bloqueo indefinido. Este parche corrige el error al unificar la gesti\u00f3n de habilitaci\u00f3n en un elemento de trabajo que se inicia autom\u00e1ticamente desde iolatency_set_min_lat_nsec(), que se llama desde las rutas iolatency_set_limit() y iolatency_pd_offline(). Es necesario apuntar a un elemento de trabajo ya que iolatency_pd_offline() se llama bajo bloqueos de giro, mientras que congelar una cola de solicitudes requiere un contexto que se pueda suspender. Esto tambi\u00e9n simplifica el c\u00f3digo, lo que reduce el LOC sin los comentarios y evita los bloqueos innecesarios que ocurr\u00edan cada vez que se configuraba o borraba el objetivo de latencia de un cgroup."}], "lastModified": "2025-10-21T12:15:22.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFA8B487-29DE-4C81-A53B-E5D42B089FBE", "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.19.29"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12C840D2-F209-4022-AB9F-C7842E688685", "versionEndExcluding": "5.0", "versionStartIncluding": "4.20.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E13ABFB-BE15-48AD-B097-91F42FAB3C25", "versionEndExcluding": "5.4.198", "versionStartIncluding": "5.0.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20D41697-0E8B-4B7D-8842-F17BF2AA21E1", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D0FE595-0CFE-4491-808B-CEF691CE7B0A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDF49B77-4688-4908-9239-89B729456D22"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77F342FB-3D7B-4EAE-BF8B-57B7B860BAFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47D61679-6515-4E18-83C7-A71982CCD83C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}