{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49901", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.245Z", "datePublished": "2025-05-01T14:10:46.974Z", "dateUpdated": "2026-05-11T19:08:54.911Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:08:54.911Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\n\nThere is a kmemleak caused by modprobe null_blk.ko\n\nunreferenced object 0xffff8881acb1f000 (size 1024):\n comm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\n backtrace:\n [<000000004a10c249>] kmalloc_node_trace+0x22/0x60\n [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350\n [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440\n [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0\n [<00000000d10c98c3>] 0xffffffffc450d69d\n [<00000000b9299f48>] 0xffffffffc4538392\n [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0\n [<00000000b389383b>] do_init_module+0x1a4/0x680\n [<0000000087cf3542>] load_module+0x6249/0x7110\n [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200\n [<00000000fdcfff51>] do_syscall_64+0x35/0x80\n [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThat is because q->ma_ops is set to NULL before blk_release_queue is\ncalled.\n\nblk_mq_init_queue_data\n blk_mq_init_allocated_queue\n blk_mq_realloc_hw_ctxs\n for (i = 0; i < set->nr_hw_queues; i++) {\n old_hctx = xa_load(&q->hctx_table, i);\n if (!blk_mq_alloc_and_init_hctx(.., i, ..))\t\t[1]\n if (!old_hctx)\n\t break;\n\n xa_for_each_start(&q->hctx_table, j, hctx, j)\n blk_mq_exit_hctx(q, set, hctx, j); \t\t\t[2]\n\n if (!q->nr_hw_queues)\t\t\t\t\t[3]\n goto err_hctxs;\n\n err_exit:\n q->mq_ops = NULL;\t\t\t \t\t\t[4]\n\n blk_put_queue\n blk_release_queue\n if (queue_is_mq(q))\t\t\t\t\t[5]\n blk_mq_release(q);\n\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q->nr_hw_queues is 0.\n[4]: Set q->mq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q->unused_hctx_list are leaked.\n\nTo fix it, call blk_release_queue in exception path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-mq.c"], "versions": [{"version": "2f8f1336a48bd5186de3476da0a3e2ec06d0533a", "lessThan": "2dc97e15a54b7bdf457848aa8c663c98a24e58a6", "status": "affected", "versionType": "git"}, {"version": "2f8f1336a48bd5186de3476da0a3e2ec06d0533a", "lessThan": "943f45b9399ed8b2b5190cbc797995edaa97f58f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-mq.c"], "versions": [{"version": "5.2", "status": "affected"}, {"version": "0", "lessThan": "5.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.8", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "6.0.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2dc97e15a54b7bdf457848aa8c663c98a24e58a6"}, {"url": "https://git.kernel.org/stable/c/943f45b9399ed8b2b5190cbc797995edaa97f58f"}], "title": "blk-mq: Fix kmemleak in blk_mq_init_allocated_queue", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-401", "lang": "en", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-01T14:59:17.778258Z", "id": "CVE-2022-49901", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T20:16:35.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-49901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T14:59:17.778258Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T14:22:51.897Z"}}], "cna": {"title": "blk-mq: Fix kmemleak in blk_mq_init_allocated_queue", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2f8f1336a48bd5186de3476da0a3e2ec06d0533a", "lessThan": "2dc97e15a54b7bdf457848aa8c663c98a24e58a6", "versionType": "git"}, {"status": "affected", "version": "2f8f1336a48bd5186de3476da0a3e2ec06d0533a", "lessThan": "943f45b9399ed8b2b5190cbc797995edaa97f58f", "versionType": "git"}], "programFiles": ["block/blk-mq.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.2"}, {"status": "unaffected", "version": "0", "lessThan": "5.2", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.8", "versionType": "semver", "lessThanOrEqual": "6.0.*"}, {"status": "unaffected", "version": "6.1", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["block/blk-mq.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/2dc97e15a54b7bdf457848aa8c663c98a24e58a6"}, {"url": "https://git.kernel.org/stable/c/943f45b9399ed8b2b5190cbc797995edaa97f58f"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\n\nThere is a kmemleak caused by modprobe null_blk.ko\n\nunreferenced object 0xffff8881acb1f000 (size 1024):\n comm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\n backtrace:\n [<000000004a10c249>] kmalloc_node_trace+0x22/0x60\n [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350\n [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440\n [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0\n [<00000000d10c98c3>] 0xffffffffc450d69d\n [<00000000b9299f48>] 0xffffffffc4538392\n [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0\n [<00000000b389383b>] do_init_module+0x1a4/0x680\n [<0000000087cf3542>] load_module+0x6249/0x7110\n [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200\n [<00000000fdcfff51>] do_syscall_64+0x35/0x80\n [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThat is because q->ma_ops is set to NULL before blk_release_queue is\ncalled.\n\nblk_mq_init_queue_data\n blk_mq_init_allocated_queue\n blk_mq_realloc_hw_ctxs\n for (i = 0; i < set->nr_hw_queues; i++) {\n old_hctx = xa_load(&q->hctx_table, i);\n if (!blk_mq_alloc_and_init_hctx(.., i, ..))\t\t[1]\n if (!old_hctx)\n\t break;\n\n xa_for_each_start(&q->hctx_table, j, hctx, j)\n blk_mq_exit_hctx(q, set, hctx, j); \t\t\t[2]\n\n if (!q->nr_hw_queues)\t\t\t\t\t[3]\n goto err_hctxs;\n\n err_exit:\n q->mq_ops = NULL;\t\t\t \t\t\t[4]\n\n blk_put_queue\n blk_release_queue\n if (queue_is_mq(q))\t\t\t\t\t[5]\n blk_mq_release(q);\n\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q->nr_hw_queues is 0.\n[4]: Set q->mq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q->unused_hctx_list are leaked.\n\nTo fix it, call blk_release_queue in exception path."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.8", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1", "versionStartIncluding": "5.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:48:17.645Z"}}}, "cveMetadata": {"cveId": "CVE-2022-49901", "state": "PUBLISHED", "dateUpdated": "2025-10-01T20:16:35.594Z", "dateReserved": "2025-05-01T14:05:17.245Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-05-01T14:10:46.974Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "66B9CABA-A89A-494C-A449-F7161E64DECE", "versionEndExcluding": "6.0.8", "versionStartIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\n\nThere is a kmemleak caused by modprobe null_blk.ko\n\nunreferenced object 0xffff8881acb1f000 (size 1024):\n comm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\n backtrace:\n [<000000004a10c249>] kmalloc_node_trace+0x22/0x60\n [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350\n [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440\n [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0\n [<00000000d10c98c3>] 0xffffffffc450d69d\n [<00000000b9299f48>] 0xffffffffc4538392\n [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0\n [<00000000b389383b>] do_init_module+0x1a4/0x680\n [<0000000087cf3542>] load_module+0x6249/0x7110\n [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200\n [<00000000fdcfff51>] do_syscall_64+0x35/0x80\n [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThat is because q->ma_ops is set to NULL before blk_release_queue is\ncalled.\n\nblk_mq_init_queue_data\n blk_mq_init_allocated_queue\n blk_mq_realloc_hw_ctxs\n for (i = 0; i < set->nr_hw_queues; i++) {\n old_hctx = xa_load(&q->hctx_table, i);\n if (!blk_mq_alloc_and_init_hctx(.., i, ..))\t\t[1]\n if (!old_hctx)\n\t break;\n\n xa_for_each_start(&q->hctx_table, j, hctx, j)\n blk_mq_exit_hctx(q, set, hctx, j); \t\t\t[2]\n\n if (!q->nr_hw_queues)\t\t\t\t\t[3]\n goto err_hctxs;\n\n err_exit:\n q->mq_ops = NULL;\t\t\t \t\t\t[4]\n\n blk_put_queue\n blk_release_queue\n if (queue_is_mq(q))\t\t\t\t\t[5]\n blk_mq_release(q);\n\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q->nr_hw_queues is 0.\n[4]: Set q->mq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q->unused_hctx_list are leaked.\n\nTo fix it, call blk_release_queue in exception path."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-mq: Se corrige kmemleak en blk_mq_init_allocated_queue Hay una kmemleak causada por modprobe null_blk.ko objeto no referenciado 0xffff8881acb1f000 (tama\u00f1o 1024): comm \"modprobe\", pid 836, jiffies 4294971190 (edad 27.068s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S...... backtrace: [&lt;000000004a10c249&gt;] kmalloc_node_trace+0x22/0x60 [&lt;00000000648f7950&gt;] blk_mq_alloc_and_init_hctx+0x289/0x350 [&lt;00000000af06de0e&gt;] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0 [&lt;00000000e00c1872&gt;] blk_mq_init_allocated_queue+0x48c/0x1440 [&lt;00000000d16b4e68&gt;] __blk_mq_alloc_disk+0xc8/0x1c0 [&lt;00000000d10c98c3&gt;] 0xffffffffc450d69d [&lt;00000000b9299f48&gt;] 0xffffffffc4538392 [&lt;0000000061c39ed6&gt;] hacer_una_llamada_inicio+0xd0/0x4f0 [&lt;00000000b389383b&gt;] hacer_m\u00f3dulo_inicio+0x1a4/0x680 [&lt;0000000087cf3542&gt;] cargar_m\u00f3dulo+0x6249/0x7110 [&lt;00000000beba61b8&gt;] __hacer_m\u00f3dulo_finit_sys+0x140/0x200 [&lt;00000000fdcfff51&gt;] hacer_llamada_al_sistema_64+0x35/0x80 [&lt;000000003c0f1f71&gt;] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Esto se debe a que q-&gt;ma_ops se establece en NULL antes de llamar a blk_release_queue. blk_mq_init_queue_data blk_mq_init_allocated_queue blk_mq_realloc_hw_ctxs para (i = 0; i &lt; set-&gt;nr_hw_queues; i++) { old_hctx = xa_load(&amp;q-&gt;hctx_table, i); si (!blk_mq_alloc_and_init_hctx(.., i, ..)) [1] si (!old_hctx) break; xa_for_each_start(&amp;q-&gt;hctx_table, j, hctx, j) blk_mq_exit_hctx(q, set, hctx, j); [2] if (!q-&gt;nr_hw_queues) [3] goto err_hctxs; err_exit: q-&gt;mq_ops = NULL; [4] blk_put_queue blk_release_queue if (queue_is_mq(q)) [5] blk_mq_release(q); [1]: blk_mq_alloc_and_init_hctx fall\u00f3 en i != 0. [2]: Los hctxs asignados por [1] se mueven a q-&gt;unused_hctx_list y se limpiar\u00e1n en blk_mq_release. [3]: q-&gt;nr_hw_queues es 0. [4]: Establece q-&gt;mq_ops en NULL. [5]: queue_is_mq devuelve falso debido a [4]. No se llamar\u00e1 a blk_mq_release. Los hctxs en q-&gt;unused_hctx_list tienen fugas. Para solucionarlo, llame a blk_release_queue en la ruta de excepci\u00f3n."}], "id": "CVE-2022-49901", "lastModified": "2025-10-01T21:15:41.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-01T15:16:15.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2dc97e15a54b7bdf457848aa8c663c98a24e58a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/943f45b9399ed8b2b5190cbc797995edaa97f58f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: blk-mq: Fix kmemleak in blk_mq_init_allocated_queue", "id": "2363450", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363450"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\nThere is a kmemleak caused by modprobe null_blk.ko\nunreferenced object 0xffff8881acb1f000 (size 1024):\ncomm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\nhex dump (first 32 bytes):\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\nbacktrace:\n[<000000004a10c249>] kmalloc_node_trace+0x22/0x60\n[<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350\n[<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n[<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440\n[<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0\n[<00000000d10c98c3>] 0xffffffffc450d69d\n[<00000000b9299f48>] 0xffffffffc4538392\n[<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0\n[<00000000b389383b>] do_init_module+0x1a4/0x680\n[<0000000087cf3542>] load_module+0x6249/0x7110\n[<00000000beba61b8>] __do_sys_finit_module+0x140/0x200\n[<00000000fdcfff51>] do_syscall_64+0x35/0x80\n[<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\nThat is because q->ma_ops is set to NULL before blk_release_queue is\ncalled.\nblk_mq_init_queue_data\nblk_mq_init_allocated_queue\nblk_mq_realloc_hw_ctxs\nfor (i = 0; i < set->nr_hw_queues; i++) {\nold_hctx = xa_load(&q->hctx_table, i);\nif (!blk_mq_alloc_and_init_hctx(.., i, ..))[1]\nif (!old_hctx)\nbreak;\nxa_for_each_start(&q->hctx_table, j, hctx, j)\nblk_mq_exit_hctx(q, set, hctx, j); [2]\nif (!q->nr_hw_queues)[3]\ngoto err_hctxs;\nerr_exit:\nq->mq_ops = NULL; [4]\nblk_put_queue\nblk_release_queue\nif (queue_is_mq(q))[5]\nblk_mq_release(q);\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q->nr_hw_queues is 0.\n[4]: Set q->mq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q->unused_hctx_list are leaked.\nTo fix it, call blk_release_queue in exception path."], "name": "CVE-2022-49901", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49901\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49901\nhttps://lore.kernel.org/linux-cve-announce/2025050101-CVE-2022-49901-1130@gregkh/T"], "statement": "pinctrl_dt_to_map() failed to check the return from kasprintf(). If memory pressure makes kasprintf() return NULL, a subsequent strcmp() dereferences that NULL pointer, letting any local process that can trigger device-tree pin-controller parsing crash the kernel (DoS). Exploiting this requires high privileges (control over kernel-space DT parsing and the ability to exhaust kmalloc), so Confidentiality/Integrity are unaffected while Availability is High.", "threat_severity": "Moderate"}

{}