CVE-2022-50550: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50550 is a memory leak vulnerability discovered in the Linux kernel's block I/O latency (blk-iolatency) subsystem. The issue occurs when a gendisk is successfully initialized but add_disk() fails, such as when a loop device has invalid number of minor device numbers specified. The vulnerability was disclosed on October 7, 2025 (NVD).

The vulnerability stems from an initialization sequence where blkcg_init_disk() is called during init and then blkcg_exit_disk() during error handling. The iolatency gets initialized in the former but doesn't get cleaned up in the latter. This occurs because in non-error cases, the cleanup is performed by del_gendisk() calling rq_qos_exit(), with the assumption that rq_qos policies can only be activated once the disk is fully registered and visible. While this assumption holds true for wbt and iocost, it doesn't apply to iolatency as it gets initialized before add_disk() is called (RedHat).

The vulnerability results in a memory leak condition when disk initialization fails. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5, indicating a medium severity level with local access required (RedHat).

As a fix for the immediate problem, an extra call to rq_qos_exit() has been added in blkcg_exit_disk(). This solution is safe because duplicate calls to rq_qos_exit() become no-ops. While a more comprehensive solution would involve switching iolatency to lazy initialization, that represents a bigger change that was deferred for later (RedHat).