github - ghsa-w94g-q3rj-7p4m

ghsa-w94g-q3rj-7p4m

Vulnerability from github

Published

2024-04-28 15:30

Modified

2024-04-28 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix hang during unmount when stopping a space reclaim worker

Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this:

Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel:

What happens is the following:

1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work);

2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-48664"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-28T13:15:08Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n  Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n  Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n  Sep 07 11:55:32 debian9 kernel:       Not tainted 6.0.0-rc2-btrfs-next-122 #1\n  Sep 07 11:55:32 debian9 kernel: \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  Sep 07 11:55:32 debian9 kernel: task:umount          state:D stack:    0 pid:49438 ppid: 25683 flags:0x00004000\n  Sep 07 11:55:32 debian9 kernel: Call Trace:\n  Sep 07 11:55:32 debian9 kernel:  \u003cTASK\u003e\n  Sep 07 11:55:32 debian9 kernel:  __schedule+0x3c8/0xec0\n  Sep 07 11:55:32 debian9 kernel:  ? rcu_read_lock_sched_held+0x12/0x70\n  Sep 07 11:55:32 debian9 kernel:  schedule+0x5d/0xf0\n  Sep 07 11:55:32 debian9 kernel:  schedule_timeout+0xf1/0x130\n  Sep 07 11:55:32 debian9 kernel:  ? lock_release+0x224/0x4a0\n  Sep 07 11:55:32 debian9 kernel:  ? lock_acquired+0x1a0/0x420\n  Sep 07 11:55:32 debian9 kernel:  ? trace_hardirqs_on+0x2c/0xd0\n  Sep 07 11:55:32 debian9 kernel:  __wait_for_common+0xac/0x200\n  Sep 07 11:55:32 debian9 kernel:  ? usleep_range_state+0xb0/0xb0\n  Sep 07 11:55:32 debian9 kernel:  __flush_work+0x26d/0x530\n  Sep 07 11:55:32 debian9 kernel:  ? flush_workqueue_prep_pwqs+0x140/0x140\n  Sep 07 11:55:32 debian9 kernel:  ? trace_clock_local+0xc/0x30\n  Sep 07 11:55:32 debian9 kernel:  __cancel_work_timer+0x11f/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  ? close_ctree+0x12b/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? __trace_bputs+0x10b/0x170\n  Sep 07 11:55:32 debian9 kernel:  close_ctree+0x152/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? evict_inodes+0x166/0x1c0\n  Sep 07 11:55:32 debian9 kernel:  generic_shutdown_super+0x71/0x120\n  Sep 07 11:55:32 debian9 kernel:  kill_anon_super+0x14/0x30\n  Sep 07 11:55:32 debian9 kernel:  btrfs_kill_super+0x12/0x20 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  deactivate_locked_super+0x2e/0xa0\n  Sep 07 11:55:32 debian9 kernel:  cleanup_mnt+0x100/0x160\n  Sep 07 11:55:32 debian9 kernel:  task_work_run+0x59/0xa0\n  Sep 07 11:55:32 debian9 kernel:  exit_to_user_mode_prepare+0x1a6/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  syscall_exit_to_user_mode+0x16/0x40\n  Sep 07 11:55:32 debian9 kernel:  do_syscall_64+0x48/0x90\n  Sep 07 11:55:32 debian9 kernel:  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n  Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n  Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n  Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel:  \u003c/TASK\u003e\n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n   block group, but the metadata reservation can not be satisfied right\n   away, so a reservation ticket is created and it starts the async\n   metadata reclaim task (fs_info-\u003easync_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n   (generic/562 creates a lot of 2K files with the goal of filling\n   metadata space). We try to create an inline extent for them, but we\n   fail when trying to insert the inline extent with -ENOSPC (at\n   cow_file_range_inline()) - since this is not critical, we fallback\n   to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---",
  "id": "GHSA-w94g-q3rj-7p4m",
  "modified": "2024-04-28T15:30:30Z",
  "published": "2024-04-28T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48664"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

cve-2022-48664

Vulnerability from cvelistv5

Published

2024-04-28 13:01

Modified

2024-11-04 12:14

Severity ?

Summary

btrfs: fix hang during unmount when stopping a space reclaim worker

References

▼	URL	Tags
	https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8
	https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994
	https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b
	https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b

Impacted products

▼	Vendor	Product
	Linux	Linux
	Linux	Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48664",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T18:11:19.564410Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:37.812Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.826Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ac5b52e3f35",
              "status": "affected",
              "version": "d6fd0ae25c64",
              "versionType": "git"
            },
            {
              "lessThan": "d8a76a2e514f",
              "status": "affected",
              "version": "d6fd0ae25c64",
              "versionType": "git"
            },
            {
              "lessThan": "c338bea1fec5",
              "status": "affected",
              "version": "d6fd0ae25c64",
              "versionType": "git"
            },
            {
              "lessThan": "a362bb864b8d",
              "status": "affected",
              "version": "d6fd0ae25c64",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.71",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n  Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n  Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n  Sep 07 11:55:32 debian9 kernel:       Not tainted 6.0.0-rc2-btrfs-next-122 #1\n  Sep 07 11:55:32 debian9 kernel: \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  Sep 07 11:55:32 debian9 kernel: task:umount          state:D stack:    0 pid:49438 ppid: 25683 flags:0x00004000\n  Sep 07 11:55:32 debian9 kernel: Call Trace:\n  Sep 07 11:55:32 debian9 kernel:  \u003cTASK\u003e\n  Sep 07 11:55:32 debian9 kernel:  __schedule+0x3c8/0xec0\n  Sep 07 11:55:32 debian9 kernel:  ? rcu_read_lock_sched_held+0x12/0x70\n  Sep 07 11:55:32 debian9 kernel:  schedule+0x5d/0xf0\n  Sep 07 11:55:32 debian9 kernel:  schedule_timeout+0xf1/0x130\n  Sep 07 11:55:32 debian9 kernel:  ? lock_release+0x224/0x4a0\n  Sep 07 11:55:32 debian9 kernel:  ? lock_acquired+0x1a0/0x420\n  Sep 07 11:55:32 debian9 kernel:  ? trace_hardirqs_on+0x2c/0xd0\n  Sep 07 11:55:32 debian9 kernel:  __wait_for_common+0xac/0x200\n  Sep 07 11:55:32 debian9 kernel:  ? usleep_range_state+0xb0/0xb0\n  Sep 07 11:55:32 debian9 kernel:  __flush_work+0x26d/0x530\n  Sep 07 11:55:32 debian9 kernel:  ? flush_workqueue_prep_pwqs+0x140/0x140\n  Sep 07 11:55:32 debian9 kernel:  ? trace_clock_local+0xc/0x30\n  Sep 07 11:55:32 debian9 kernel:  __cancel_work_timer+0x11f/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  ? close_ctree+0x12b/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? __trace_bputs+0x10b/0x170\n  Sep 07 11:55:32 debian9 kernel:  close_ctree+0x152/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? evict_inodes+0x166/0x1c0\n  Sep 07 11:55:32 debian9 kernel:  generic_shutdown_super+0x71/0x120\n  Sep 07 11:55:32 debian9 kernel:  kill_anon_super+0x14/0x30\n  Sep 07 11:55:32 debian9 kernel:  btrfs_kill_super+0x12/0x20 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  deactivate_locked_super+0x2e/0xa0\n  Sep 07 11:55:32 debian9 kernel:  cleanup_mnt+0x100/0x160\n  Sep 07 11:55:32 debian9 kernel:  task_work_run+0x59/0xa0\n  Sep 07 11:55:32 debian9 kernel:  exit_to_user_mode_prepare+0x1a6/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  syscall_exit_to_user_mode+0x16/0x40\n  Sep 07 11:55:32 debian9 kernel:  do_syscall_64+0x48/0x90\n  Sep 07 11:55:32 debian9 kernel:  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n  Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n  Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n  Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel:  \u003c/TASK\u003e\n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n   block group, but the metadata reservation can not be satisfied right\n   away, so a reservation ticket is created and it starts the async\n   metadata reclaim task (fs_info-\u003easync_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n   (generic/562 creates a lot of 2K files with the goal of filling\n   metadata space). We try to create an inline extent for them, but we\n   fail when trying to insert the inline extent with -ENOSPC (at\n   cow_file_range_inline()) - since this is not critical, we fallback\n   to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:14:15.683Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ac5b52e3f352f9cb270c89e6e1d4dadb564ddb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8a76a2e514fbbb315a6dfff2d342de2de833994"
        },
        {
          "url": "https://git.kernel.org/stable/c/c338bea1fec5504290dc0acf026c9e7dba25004b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a362bb864b8db4861977d00bd2c3222503ccc34b"
        }
      ],
      "title": "btrfs: fix hang during unmount when stopping a space reclaim worker",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48664",
    "datePublished": "2024-04-28T13:01:41.496Z",
    "dateReserved": "2024-02-25T13:44:28.320Z",
    "dateUpdated": "2024-11-04T12:14:15.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted