CVE-2022-49179: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler. The vulnerability (CVE-2022-49179) occurs when oom_bfqq is moved to a non-root group, causing the root_group to be freed earlier, leading to a use-after-free condition in __bfq_put_async_bfqq function (Kernel Git).

The vulnerability manifests when the oom_bfqq (out-of-memory BFQ queue) is moved to a non-root group, which causes premature freeing of the root_group. This results in a use-after-free condition when accessing the freed memory in the __bfq_put_async_bfqq function. The issue was discovered through KASAN (Kernel Address Sanitizer) which reported a write of size 8 at an invalid memory address (NVD).

The vulnerability could lead to memory corruption in the kernel's I/O scheduling subsystem. When exploited, it could potentially cause system crashes or enable privilege escalation. The CVSS v3.1 base score is 7.8 (High), indicating significant potential impact (CISA-ADP).

The issue has been fixed by preventing oom_bfqq from being moved to non-root groups. A patch was implemented that adds a check in bfq_bfqq_move() to return early if the queue being moved is oom_bfqq, ensuring it maintains its reference to root_group until elevator exit (Kernel Git).