VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50752

CVE-2022-50752

Description

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()

When running chunk-sized reads on disks with badblocks duplicate bio free/puts are observed:

============================================================================= BUG bio-200 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504 __slab_alloc.constprop.0+0x5a/0xb0 kmem_cache_alloc+0x31e/0x330 mempool_alloc_slab+0x17/0x20 mempool_alloc+0x100/0x2b0 bio_alloc_bioset+0x181/0x460 do_mpage_readpage+0x776/0xd00 mpage_readahead+0x166/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 force_page_cache_ra+0x181/0x1c0 page_cache_sync_ra+0x65/0xb0 filemap_get_pages+0x1df/0xaf0 filemap_read+0x1e1/0x700 blkdev_read_iter+0x1e5/0x330 vfs_read+0x42a/0x570 Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 raid5_make_request+0x2259/0x2450 md_handle_request+0x402/0x600 md_submit_bio+0xd9/0x120 __submit_bio+0x11f/0x1b0 submit_bio_noacct_nocheck+0x204/0x480 submit_bio_noacct+0x32e/0xc70 submit_bio+0x98/0x1a0 mpage_readahead+0x250/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: raid5wq raid5_do_work Call Trace:

dump_stack_lvl+0x5a/0x78 dump_stack+0x10/0x16 print_trailer+0x158/0x165 object_err+0x35/0x50 free_debug_processing.cold+0xb7/0xbe __slab_free+0x1ae/0x330 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 mpage_end_io+0x36/0x150 bio_endio+0x2fd/0x360 md_end_io_acct+0x7e/0x90 bio_endio+0x2fd/0x360 handle_failed_stripe+0x960/0xb80 handle_stripe+0x1348/0x3760 handle_active_stripes.constprop.0+0x72a/0xaf0 raid5_do_work+0x177/0x330 process_one_work+0x616/0xb20 worker_thread+0x2bd/0x6f0 kthread+0x179/0x1b0 ret_from_fork+0x22/0x30

The double free is caused by an unnecessary bio_put() in the if(is_badblock(...)) error path in raid5_read_one_chunk().

The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5_read_one_chunk"). The previous code checked and freed align_bio which required a bio_put. After the move that is no longer needed as raid_bio is returned to the control of the common io path which performs its own endio resulting in a double free on bad device blocks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A bug in the Linux kernel's md/raid5 driver causes a double bio_put() when reading chunk-sized I/Os on disks with bad blocks, leading to a use-after-free of the bio object.

Vulnerability

CVE-2022-50752 is a bug in the Linux kernel's MD RAID5 implementation, specifically in the raid5_read_one_chunk() function. When a chunk-sized read is performed on a RAID5 array containing disks with bad blocks, the function incorrectly frees a bio that has already been freed, resulting in a double free. This is visible in kernel debug logs as a "Object already free" BUG for the bio slab allocator.

Exploitation

An attacker who can trigger disk read operations (e.g., through normal file access) on a RAID5 array that has encountered bad blocks can reproduce the scenario. No special privileges are required beyond the ability to read from the block device. The bug manifests when the I/O size exactly matches the chunk size, causing the redundant bio_put() call in raid5_read_one_chunk() to free the bio a second time.

Impact

A double free of a bio object can lead to kernel memory corruption, use-after-free, or slab corruption. This may cause system instability, denial of service (kernel panic), or potentially be leveraged for privilege escalation if the freed memory is reallocated in a controlled manner. The vulnerability is local and requires access to the affected RAID volume.

Mitigation

The Linux kernel community has merged fixes for this issue in the upstream stable tree, as shown by commits c66a6f41e09a and 7a37c58ee72e [1][2]. System administrators should apply kernel updates from their distribution that contain these patches. There is no known workaround beyond avoiding chunk-sized reads on arrays with bad blocks, which is impractical.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
7a37c58ee72e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c0fd5d4d8fd7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
21a9c7354aa5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c66a6f41e09a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.