CVE-2022-48664

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix hang during unmount when stopping a space reclaim worker<br /> <br /> Often when running generic/562 from fstests we can hang during unmount,<br /> resulting in a trace like this:<br /> <br /> Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00<br /> Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.<br /> Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1<br /> Sep 07 11:55:32 debian9 kernel: "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000<br /> Sep 07 11:55:32 debian9 kernel: Call Trace:<br /> Sep 07 11:55:32 debian9 kernel: <br /> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0<br /> Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70<br /> Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0<br /> Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130<br /> Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0<br /> Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420<br /> Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0<br /> Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200<br /> Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0<br /> Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530<br /> Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140<br /> Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30<br /> Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0<br /> Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170<br /> Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0<br /> Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120<br /> Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30<br /> Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0<br /> Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160<br /> Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0<br /> Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0<br /> Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40<br /> Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90<br /> Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7<br /> Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7<br /> Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0<br /> Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570<br /> Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000<br /> Sep 07 11:55:32 debian9 kernel: <br /> <br /> What happens is the following:<br /> <br /> 1) The cleaner kthread tries to start a transaction to delete an unused<br /> block group, but the metadata reservation can not be satisfied right<br /> away, so a reservation ticket is created and it starts the async<br /> metadata reclaim task (fs_info-&gt;async_reclaim_work);<br /> <br /> 2) Writeback for all the filler inodes with an i_size of 2K starts<br /> (generic/562 creates a lot of 2K files with the goal of filling<br /> metadata space). We try to create an inline extent for them, but we<br /> fail when trying to insert the inline extent with -ENOSPC (at<br /> cow_file_range_inline()) - since this is not critical, we fallback<br /> to non-inline mode (back to cow_file_range()), reserve extents<br /> ---truncated---