CVE-2022-50571

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure<br /> <br /> Now that lockdep is staying enabled through our entire CI runs I started<br /> seeing the following stack in generic/475<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0<br /> CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014<br /> Workqueue: btrfs-cache btrfs_work_helper<br /> RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0<br /> RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff8c85c605c200 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: ffffffff86807c5b RDI: ffffffff868a831e<br /> RBP: ffff8c85c4c54000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff8c85c66932f0 R11: 0000000000000001 R12: ffff8c85c3899010<br /> R13: ffff8c85d5be4f40 R14: ffff8c85c4c54000 R15: ffff8c86114bfa80<br /> FS: 0000000000000000(0000) GS:ffff8c863bd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f2e7f168160 CR3: 000000010289a004 CR4: 0000000000370ee0<br /> Call Trace:<br /> <br /> __btrfs_remove_free_space_cache+0x27/0x30<br /> load_free_space_cache+0xad2/0xaf0<br /> caching_thread+0x40b/0x650<br /> ? lock_release+0x137/0x2d0<br /> btrfs_work_helper+0xf2/0x3e0<br /> ? lock_is_held_type+0xe2/0x140<br /> process_one_work+0x271/0x590<br /> ? process_one_work+0x590/0x590<br /> worker_thread+0x52/0x3b0<br /> ? process_one_work+0x590/0x590<br /> kthread+0xf0/0x120<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> This is the code<br /> <br /> ctl = block_group-&gt;free_space_ctl;<br /> discard_ctl = &amp;block_group-&gt;fs_info-&gt;discard_ctl;<br /> <br /> lockdep_assert_held(&amp;ctl-&gt;tree_lock);<br /> <br /> We have a temporary free space ctl for loading the free space cache in<br /> order to avoid having allocations happening while we&amp;#39;re loading the<br /> cache. When we hit an error we free it all up, however this also calls<br /> btrfs_discard_update_discardable, which requires<br /> block_group-&gt;free_space_ctl-&gt;tree_lock to be held. However this is our<br /> temporary ctl so this lock isn&amp;#39;t held. Fix this by calling<br /> __btrfs_remove_free_space_cache_locked instead so that we only clean up<br /> the entries and do not mess with the discardable stats.