Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49702

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
24/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix hang during unmount when block group reclaim task is running<br /> <br /> When we start an unmount, at close_ctree(), if we have the reclaim task<br /> running and in the middle of a data block group relocation, we can trigger<br /> a deadlock when stopping an async reclaim task, producing a trace like the<br /> following:<br /> <br /> [629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000<br /> [629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs]<br /> [629724.501267] Call Trace:<br /> [629724.501759] <br /> [629724.502174] __schedule+0x3cb/0xed0<br /> [629724.502842] schedule+0x4e/0xb0<br /> [629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs]<br /> [629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0<br /> [629724.505442] flush_space+0x423/0x630 [btrfs]<br /> [629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50<br /> [629724.507259] ? lock_release+0x220/0x4a0<br /> [629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs]<br /> [629724.508940] ? do_raw_spin_unlock+0x4b/0xa0<br /> [629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs]<br /> [629724.510922] process_one_work+0x252/0x5a0<br /> [629724.511694] ? process_one_work+0x5a0/0x5a0<br /> [629724.512508] worker_thread+0x52/0x3b0<br /> [629724.513220] ? process_one_work+0x5a0/0x5a0<br /> [629724.514021] kthread+0xf2/0x120<br /> [629724.514627] ? kthread_complete_and_exit+0x20/0x20<br /> [629724.515526] ret_from_fork+0x22/0x30<br /> [629724.516236] <br /> [629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000<br /> [629724.518269] Call Trace:<br /> [629724.518746] <br /> [629724.519160] __schedule+0x3cb/0xed0<br /> [629724.519835] schedule+0x4e/0xb0<br /> [629724.520467] schedule_timeout+0xed/0x130<br /> [629724.521221] ? lock_release+0x220/0x4a0<br /> [629724.521946] ? lock_acquired+0x19c/0x420<br /> [629724.522662] ? trace_hardirqs_on+0x1b/0xe0<br /> [629724.523411] __wait_for_common+0xaf/0x1f0<br /> [629724.524189] ? usleep_range_state+0xb0/0xb0<br /> [629724.524997] __flush_work+0x26d/0x530<br /> [629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140<br /> [629724.526580] ? lock_acquire+0x1a0/0x310<br /> [629724.527324] __cancel_work_timer+0x137/0x1c0<br /> [629724.528190] close_ctree+0xfd/0x531 [btrfs]<br /> [629724.529000] ? evict_inodes+0x166/0x1c0<br /> [629724.529510] generic_shutdown_super+0x74/0x120<br /> [629724.530103] kill_anon_super+0x14/0x30<br /> [629724.530611] btrfs_kill_super+0x12/0x20 [btrfs]<br /> [629724.531246] deactivate_locked_super+0x31/0xa0<br /> [629724.531817] cleanup_mnt+0x147/0x1c0<br /> [629724.532319] task_work_run+0x5c/0xa0<br /> [629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0<br /> [629724.533598] syscall_exit_to_user_mode+0x16/0x40<br /> [629724.534200] do_syscall_64+0x48/0x90<br /> [629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [629724.535318] RIP: 0033:0x7fa2b90437a7<br /> [629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> [629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7<br /> [629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0<br /> [629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200<br /> [629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> [629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000<br /> [629724.541796] <br /> <br /> This happens because:<br /> <br /> 1) Before entering close_ctree() we have the async block group reclaim<br /> task running and relocating a data block group;<br /> <br /> 2) There&amp;#39;s an async metadata (or data) space reclaim task running;<br /> <br /> 3) We enter close_ctree() and park the cleaner kthread;<br /> <br /> 4) The async space reclaim task is at flush_space() and runs all the<br /> existing delayed iputs;<br /> <br /> 5) Before the async space reclaim task calls<br /> btrfs_wait_on_delayed_iputs(), the block group reclaim task which is<br /> doing the data block group relocation, creates a delayed iput at<br /> replace_file_extents() (called when COWing leaves that have file extent<br /> items pointing to relocated data exten<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.13 (including) 5.15.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.8 (excluding)
cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools