CVE-2022-48664

btrfs: fix hang during unmount when stopping a space reclaim worker

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when stopping a space reclaim worker Often when running generic/562 from fstests we can hang during unmount,
resulting in a trace like this: Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: <TASK> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel: </TASK> What happens is the following: 1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work); 2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents
---truncated---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: se corrige el bloqueo durante el desmontaje al detener un trabajador de recuperación de espacio. A menudo, cuando ejecutamos generic/562 desde fstests, podemos bloquearnos durante el desmontaje, lo que resulta en un rastro como este: 07 de septiembre 11:52 :00 debian9 desconocido: ejecute fstests generic/562 el 07/09/2022 11:52:00 07 de septiembre 11:55:32 kernel debian9: INFORMACIÓN: tarea umount:49438 bloqueada durante más de 120 segundos. 07 de septiembre 11:55:32 kernel debian9: no contaminado 6.0.0-rc2-btrfs-next-122 #1 07 de septiembre 11:55:32 kernel debian9: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" desactiva esto mensaje. 07 de septiembre 11:55:32 kernel debian9: tarea: estado de montaje: D pila: 0 pid:49438 ppid: 25683 banderas:0x00004000 07 de septiembre 11:55:32 kernel de debian9: Seguimiento de llamadas: 07 de septiembre 11:55:32 kernel de debian9 : 07 de septiembre 11:55:32 kernel debian9: __schedule+0x3c8/0xec0 07 de septiembre 11:55:32 kernel debian9: ? rcu_read_lock_sched_held+0x12/0x70 07 de septiembre 11:55:32 kernel debian9: horario+0x5d/0xf0 07 de septiembre 11:55:32 kernel debian9: Schedule_timeout+0xf1/0x130 07 de septiembre 11:55:32 kernel debian9:? lock_release+0x224/0x4a0 7 de septiembre 11:55:32 kernel debian9:? lock_acquired+0x1a0/0x420 7 de septiembre 11:55:32 kernel debian9:? trace_hardirqs_on+0x2c/0xd0 07 de septiembre 11:55:32 kernel debian9: __wait_for_common+0xac/0x200 07 de septiembre 11:55:32 kernel debian9:? usleep_range_state+0xb0/0xb0 07 de septiembre 11:55:32 kernel debian9: __flush_work+0x26d/0x530 07 de septiembre 11:55:32 kernel debian9:? Flush_workqueue_prep_pwqs+0x140/0x140 7 de septiembre 11:55:32 kernel debian9:? trace_clock_local+0xc/0x30 7 de septiembre 11:55:32 kernel debian9: __cancel_work_timer+0x11f/0x1b0 7 de septiembre 11:55:32 kernel debian9:? close_ctree+0x12b/0x5b3 [btrfs] 07 de septiembre 11:55:32 kernel debian9:? __trace_bputs+0x10b/0x170 07 de septiembre 11:55:32 kernel debian9: close_ctree+0x152/0x5b3 [btrfs] 07 de septiembre 11:55:32 kernel debian9:? evict_inodes+0x166/0x1c0 07 de septiembre 11:55:32 kernel debian9: generic_shutdown_super+0x71/0x120 07 de septiembre 11:55:32 kernel debian9: kill_anon_super+0x14/0x30 07 de septiembre 11:55:32 kernel debian9: 0 [btrfs] 07 de septiembre 11:55:32 kernel debian9: desactivar_locked_super+0x2e/0xa0 07 de septiembre 11:55:32 kernel debian9: cleanup_mnt+0x100/0x160 07 de septiembre 11:55:32 kernel de debian9: task_work_run+0x59/0xa0 07 de septiembre 11:55:32 kernel debian9: exit_to_user_mode_prepare+0x1a6/0x1b0 07 de septiembre 11:55:32 kernel debian9: syscall_exit_to_user_mode+0x16/0x40 07 de septiembre 11:55:32 kernel de debian9: do_syscall_64+0x48/0x90 07 de septiembre: 55:32 kernel debian9: Entry_SYSCALL_64_after_hwframe+0x63/0xcd 07 de septiembre 11:55:32 kernel debian9: RIP: 0033:0x7fcde59a57a7 07 de septiembre 11:55:32 kernel debian9: RSP: 002b:00007ffe914217c8 EFLAGS: ORIG_RAX: 00000000000000a6 07 de septiembre 11:55: 32 kernel debian9: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 07 de septiembre 11:55:32 kernel debian9: RDX: 0000000000000000 RSI: 00 RDI: 000055b57556cdd0 07 de septiembre 11:55:32 kernel debian9: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 07 de septiembre 11:55:32 kernel debian9: R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000000000 07 de septiembre 11:55:32 kernel debian9: R13: 55b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 7 de septiembre 11:55:32 kernel debian9: < /TASK> Lo que sucede es lo siguiente: 1) El kthread limpiador intenta iniciar una transacción para eliminar un grupo de bloques no utilizado, pero la reserva de metadatos no se puede satisfacer de inmediato, por lo que se crea un ticket de reserva e inicia la recuperación asíncrona de metadatos---truncadas---

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when stopping a space reclaim worker Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this: Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: <TASK> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel: </TASK> What happens is the following: 1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work); 2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-04-28 CVE Published
2024-12-19 CVE Updated
2025-03-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/d6fd0ae25c6495674dc5a41a8d16bc8e0073276d	Vuln. Introduced
https://git.kernel.org/stable/c/1ec2bf44c3770b9c3d510b1e78d50cd7fd19e8c5	Vuln. Introduced
https://git.kernel.org/stable/c/b4c7c826709b7d882ec9b264d5032e887e6bd720	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8	2022-10-05
https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994	2022-09-28
https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b	2022-09-28
https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b	2022-09-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.10.147 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.10.147"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.15.71 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.15.71"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.19.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.19.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.0"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.120 Search vendor "Linux" for product "Linux Kernel" and version "4.14.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.12 Search vendor "Linux" for product "Linux Kernel" and version "4.19.12"		en		Affected