CVE-2022-48734

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix deadlock between quota disable and qgroup rescan worker<br /> <br /> Quota disable ioctl starts a transaction before waiting for the qgroup<br /> rescan worker completes. However, this wait can be infinite and results<br /> in deadlock because of circular dependency among the quota disable<br /> ioctl, the qgroup rescan worker and the other task with transaction such<br /> as block group relocation task.<br /> <br /> The deadlock happens with the steps following:<br /> <br /> 1) Task A calls ioctl to disable quota. It starts a transaction and<br /> waits for qgroup rescan worker completes.<br /> 2) Task B such as block group relocation task starts a transaction and<br /> joins to the transaction that task A started. Then task B commits to<br /> the transaction. In this commit, task B waits for a commit by task A.<br /> 3) Task C as the qgroup rescan worker starts its job and starts a<br /> transaction. In this transaction start, task C waits for completion<br /> of the transaction that task A started and task B committed.<br /> <br /> This deadlock was found with fstests test case btrfs/115 and a zoned<br /> null_blk device. The test case enables and disables quota, and the<br /> block group reclaim was triggered during the quota disable by chance.<br /> The deadlock was also observed by running quota enable and disable in<br /> parallel with &amp;#39;btrfs balance&amp;#39; command on regular null_blk devices.<br /> <br /> An example report of the deadlock:<br /> <br /> [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds.<br /> [372.479944] Not tainted 5.16.0-rc8 #7<br /> [372.485067] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000<br /> [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs]<br /> [372.510782] Call Trace:<br /> [372.514092] <br /> [372.521684] __schedule+0xb56/0x4850<br /> [372.530104] ? io_schedule_timeout+0x190/0x190<br /> [372.538842] ? lockdep_hardirqs_on+0x7e/0x100<br /> [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60<br /> [372.555591] schedule+0xe0/0x270<br /> [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs]<br /> [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs]<br /> [372.578875] ? free_unref_page+0x3f2/0x650<br /> [372.585484] ? finish_wait+0x270/0x270<br /> [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs]<br /> [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs]<br /> [372.607157] ? lock_release+0x3a9/0x6d0<br /> [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs]<br /> [372.620960] ? do_raw_spin_lock+0x11e/0x250<br /> [372.627137] ? rwlock_bug.part.0+0x90/0x90<br /> [372.633215] ? lock_is_held_type+0xe4/0x140<br /> [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs]<br /> [372.646268] process_one_work+0x7e9/0x1320<br /> [372.652321] ? lock_release+0x6d0/0x6d0<br /> [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230<br /> [372.664513] ? rwlock_bug.part.0+0x90/0x90<br /> [372.670529] worker_thread+0x59e/0xf90<br /> [372.676172] ? process_one_work+0x1320/0x1320<br /> [372.682440] kthread+0x3b9/0x490<br /> [372.687550] ? _raw_spin_unlock_irq+0x24/0x50<br /> [372.693811] ? set_kthread_struct+0x100/0x100<br /> [372.700052] ret_from_fork+0x22/0x30<br /> [372.705517] <br /> [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds.<br /> [372.729827] Not tainted 5.16.0-rc8 #7<br /> [372.745907] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000<br /> [372.787776] Call Trace:<br /> [372.801652] <br /> [372.812961] __schedule+0xb56/0x4850<br /> [372.830011] ? io_schedule_timeout+0x190/0x190<br /> [372.852547] ? lockdep_hardirqs_on+0x7e/0x100<br /> [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60<br /> [372.886792] schedule+0xe0/0x270<br /> [372.901685] wait_current_trans+0x22c/0x310 [btrfs]<br /> [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs]<br /> [372.938923] ? finish_wait+0x270/0x270<br /> [372.959085] ? join_transaction+0xc7<br /> ---truncated---