{"id":"CVE-2022-50086","summary":"block: don't allow the same type rq_qos add more than once","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't allow the same type rq_qos add more than once\n\nIn our test of iocost, we encountered some list add/del corruptions of\ninner_walk list in ioc_timer_fn.\n\nThe reason can be described as follows:\n\ncpu 0\t\t\t\t\tcpu 1\nioc_qos_write\t\t\t\tioc_qos_write\n\nioc = q_to_ioc(queue);\nif (!ioc) {\n        ioc = kzalloc();\n\t\t\t\t\tioc = q_to_ioc(queue);\n\t\t\t\t\tif (!ioc) {\n\t\t\t\t\t\tioc = kzalloc();\n\t\t\t\t\t\t...\n\t\t\t\t\t\trq_qos_add(q, rqos);\n\t\t\t\t\t}\n        ...\n        rq_qos_add(q, rqos);\n        ...\n}\n\nWhen the io.cost.qos file is written by two cpus concurrently, rq_qos may\nbe added to one disk twice. In that case, there will be two iocs enabled\nand running on one disk. They own different iocgs on their active list. In\nthe ioc_timer_fn function, because of the iocgs from two iocs have the\nsame root iocg, the root iocg's walk_list may be overwritten by each other\nand this leads to list add/del corruptions in building or destroying the\ninner_walk list.\n\nAnd so far, the blk-rq-qos framework works in case that one instance for\none type rq_qos per queue by default. This patch make this explicit and\nalso fix the crash above.","modified":"2026-04-03T13:14:43.617471939Z","published":"2025-06-18T11:02:27.283Z","related":["SUSE-SU-2025:02264-1","SUSE-SU-2025:02321-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50086.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08ef66e800a85afc6b54cb95841f6502627eee2e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0b7f5d7a4d2a72ad9de04ab8ccba2a31904aa638"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0c9bb1acd1d103a3070b2126870eb52761d606ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/14a6e2eb7df5c7897c15b109cba29ab0c4a791b6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50086.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50086"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a79050434b45959f397042080fd1d70ffa9bd9df"},{"fixed":"0b7f5d7a4d2a72ad9de04ab8ccba2a31904aa638"},{"fixed":"08ef66e800a85afc6b54cb95841f6502627eee2e"},{"fixed":"0c9bb1acd1d103a3070b2126870eb52761d606ce"},{"fixed":"14a6e2eb7df5c7897c15b109cba29ab0c4a791b6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50086.json"}}],"schema_version":"1.7.5"}