Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50090

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info-&gt;max_extent_size<br /> <br /> On zoned filesystem, data write out is limited by max_zone_append_size,<br /> and a large ordered extent is split according the size of a bio. OTOH,<br /> the number of extents to be written is calculated using<br /> BTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve the<br /> metadata bytes to update and/or create the metadata items.<br /> <br /> The metadata reservation is done at e.g, btrfs_buffered_write() and then<br /> released according to the estimation changes. Thus, if the number of extent<br /> increases massively, the reserved metadata can run out.<br /> <br /> The increase of the number of extents easily occurs on zoned filesystem<br /> if BTRFS_MAX_EXTENT_SIZE &gt; max_zone_append_size. And, it causes the<br /> following warning on a small RAM environment with disabling metadata<br /> over-commit (in the following patch).<br /> <br /> [75721.498492] ------------[ cut here ]------------<br /> [75721.505624] BTRFS: block rsv 1 returned -28<br /> [75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfs_use_block_rsv+0x560/0x760 [btrfs]<br /> [75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109<br /> [75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021<br /> [75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]<br /> [75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs]<br /> [75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286<br /> [75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000<br /> [75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e<br /> [75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7<br /> [75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28<br /> [75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a<br /> [75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000<br /> [75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0<br /> [75721.730499] Call Trace:<br /> [75721.735166] <br /> [75721.739886] btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs]<br /> [75721.747545] ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs]<br /> [75721.756145] ? btrfs_get_32+0xea/0x2d0 [btrfs]<br /> [75721.762852] ? btrfs_get_32+0xea/0x2d0 [btrfs]<br /> [75721.769520] ? push_leaf_left+0x420/0x620 [btrfs]<br /> [75721.776431] ? memcpy+0x4e/0x60<br /> [75721.781931] split_leaf+0x433/0x12d0 [btrfs]<br /> [75721.788392] ? btrfs_get_token_32+0x580/0x580 [btrfs]<br /> [75721.795636] ? push_for_double_split.isra.0+0x420/0x420 [btrfs]<br /> [75721.803759] ? leaf_space_used+0x15d/0x1a0 [btrfs]<br /> [75721.811156] btrfs_search_slot+0x1bc3/0x2790 [btrfs]<br /> [75721.818300] ? lock_downgrade+0x7c0/0x7c0<br /> [75721.824411] ? free_extent_buffer.part.0+0x107/0x200 [btrfs]<br /> [75721.832456] ? split_leaf+0x12d0/0x12d0 [btrfs]<br /> [75721.839149] ? free_extent_buffer.part.0+0x14f/0x200 [btrfs]<br /> [75721.846945] ? free_extent_buffer+0x13/0x20 [btrfs]<br /> [75721.853960] ? btrfs_release_path+0x4b/0x190 [btrfs]<br /> [75721.861429] btrfs_csum_file_blocks+0x85c/0x1500 [btrfs]<br /> [75721.869313] ? rcu_read_lock_sched_held+0x16/0x80<br /> [75721.876085] ? lock_release+0x552/0xf80<br /> [75721.881957] ? btrfs_del_csums+0x8c0/0x8c0 [btrfs]<br /> [75721.888886] ? __kasan_check_write+0x14/0x20<br /> [75721.895152] ? do_raw_read_unlock+0x44/0x80<br /> [75721.901323] ? _raw_write_lock_irq+0x60/0x80<br /> [75721.907983] ? btrfs_global_root+0xb9/0xe0 [btrfs]<br /> [75721.915166] ? btrfs_csum_root+0x12b/0x180 [btrfs]<br /> [75721.921918] ? btrfs_get_global_root+0x820/0x820 [btrfs]<br /> [75721.929166] ? _raw_write_unlock+0x23/0x40<br /> [75721.935116] ? unpin_extent_cache+0x1e3/0x390 [btrfs]<br /> [75721.942041] btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs]<br /> [75721.949906] ? try_to_wake_up+0x30/0x14a0<br /> [75721.955700] ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs]<br /> [75721.962661] ? rcu<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.12 (including) 5.15.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 5.19.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools