Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49079

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
14/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: traverse devices under chunk_mutex in btrfs_can_activate_zone<br /> <br /> btrfs_can_activate_zone() can be called with the device_list_mutex already<br /> held, which will lead to a deadlock:<br /> <br /> insert_dev_extents() // Takes device_list_mutex<br /> `-&gt; insert_dev_extent()<br /> `-&gt; btrfs_insert_empty_item()<br /> `-&gt; btrfs_insert_empty_items()<br /> `-&gt; btrfs_search_slot()<br /> `-&gt; btrfs_cow_block()<br /> `-&gt; __btrfs_cow_block()<br /> `-&gt; btrfs_alloc_tree_block()<br /> `-&gt; btrfs_reserve_extent()<br /> `-&gt; find_free_extent()<br /> `-&gt; find_free_extent_update_loop()<br /> `-&gt; can_allocate_chunk()<br /> `-&gt; btrfs_can_activate_zone() // Takes device_list_mutex again<br /> <br /> Instead of using the RCU on fs_devices-&gt;device_list we<br /> can use fs_devices-&gt;alloc_list, protected by the chunk_mutex to traverse<br /> the list of active devices.<br /> <br /> We are in the chunk allocation thread. The newer chunk allocation<br /> happens from the devices in the fs_device-&gt;alloc_list protected by the<br /> chunk_mutex.<br /> <br /> btrfs_create_chunk()<br /> lockdep_assert_held(&amp;info-&gt;chunk_mutex);<br /> gather_device_info<br /> list_for_each_entry(device, &amp;fs_devices-&gt;alloc_list, dev_alloc_list)<br /> <br /> Also, a device that reappears after the mount won&amp;#39;t join the alloc_list<br /> yet and, it will be in the dev_list, which we don&amp;#39;t want to consider in<br /> the context of the chunk alloc.<br /> <br /> [15.166572] WARNING: possible recursive locking detected<br /> [15.167117] 5.17.0-rc6-dennis #79 Not tainted<br /> [15.167487] --------------------------------------------<br /> [15.167733] kworker/u8:3/146 is trying to acquire lock:<br /> [15.167733] ffff888102962ee0 (&amp;fs_devs-&gt;device_list_mutex){+.+.}-{3:3}, at: find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.167733]<br /> [15.167733] but task is already holding lock:<br /> [15.167733] ffff888102962ee0 (&amp;fs_devs-&gt;device_list_mutex){+.+.}-{3:3}, at: btrfs_create_pending_block_groups+0x20a/0x560 [btrfs]<br /> [15.167733]<br /> [15.167733] other info that might help us debug this:<br /> [15.167733] Possible unsafe locking scenario:<br /> [15.167733]<br /> [15.171834] CPU0<br /> [15.171834] ----<br /> [15.171834] lock(&amp;fs_devs-&gt;device_list_mutex);<br /> [15.171834] lock(&amp;fs_devs-&gt;device_list_mutex);<br /> [15.171834]<br /> [15.171834] *** DEADLOCK ***<br /> [15.171834]<br /> [15.171834] May be due to missing lock nesting notation<br /> [15.171834]<br /> [15.171834] 5 locks held by kworker/u8:3/146:<br /> [15.171834] #0: ffff888100050938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x1c3/0x5a0<br /> [15.171834] #1: ffffc9000067be80 ((work_completion)(&amp;fs_info-&gt;async_data_reclaim_work)){+.+.}-{0:0}, at: process_one_work+0x1c3/0x5a0<br /> [15.176244] #2: ffff88810521e620 (sb_internal){.+.+}-{0:0}, at: flush_space+0x335/0x600 [btrfs]<br /> [15.176244] #3: ffff888102962ee0 (&amp;fs_devs-&gt;device_list_mutex){+.+.}-{3:3}, at: btrfs_create_pending_block_groups+0x20a/0x560 [btrfs]<br /> [15.176244] #4: ffff8881152e4b78 (btrfs-dev-00){++++}-{3:3}, at: __btrfs_tree_lock+0x27/0x130 [btrfs]<br /> [15.179641]<br /> [15.179641] stack backtrace:<br /> [15.179641] CPU: 1 PID: 146 Comm: kworker/u8:3 Not tainted 5.17.0-rc6-dennis #79<br /> [15.179641] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014<br /> [15.179641] Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]<br /> [15.179641] Call Trace:<br /> [15.179641] <br /> [15.179641] dump_stack_lvl+0x45/0x59<br /> [15.179641] __lock_acquire.cold+0x217/0x2b2<br /> [15.179641] lock_acquire+0xbf/0x2b0<br /> [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.183838] __mutex_lock+0x8e/0x970<br /> [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.183838] ? lock_is_held_type+0xd7/0x130<br /> [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.183838] find_free_extent+0x15a/0x14f0 [btrfs]<br /> [15.183838] ? _raw_spin_unlock+0x24/0x40<br /> [15.183838] ? btrfs_get_alloc_profile+0x106/0x230 [btrfs]<br /> [15.187601] btrfs_reserve_extent+0x131/0x260 [btrfs]<br /> [15.<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.3 (excluding)
cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools