ghsa-wrfr-rmr8-j7gx
Vulnerability from github
Published
2024-06-20 12:31
Modified
2024-08-19 18:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix deadlock between quota disable and qgroup rescan worker

Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task.

The deadlock happens with the steps following:

1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. In this transaction start, task C waits for completion of the transaction that task A started and task B committed.

This deadlock was found with fstests test case btrfs/115 and a zoned null_blk device. The test case enables and disables quota, and the block group reclaim was triggered during the quota disable by chance. The deadlock was also observed by running quota enable and disable in parallel with 'btrfs balance' command on regular null_blk devices.

An example report of the deadlock:

[372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] [372.521684] __schedule+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ? do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90 [372.676172] ? process_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not tainted 5.16.0-rc8 #7 [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 [372.787776] Call Trace: [372.801652] [372.812961] __schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270 [372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ? finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-48734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock between quota disable and qgroup rescan worker\n\nQuota disable ioctl starts a transaction before waiting for the qgroup\nrescan worker completes. However, this wait can be infinite and results\nin deadlock because of circular dependency among the quota disable\nioctl, the qgroup rescan worker and the other task with transaction such\nas block group relocation task.\n\nThe deadlock happens with the steps following:\n\n1) Task A calls ioctl to disable quota. It starts a transaction and\n   waits for qgroup rescan worker completes.\n2) Task B such as block group relocation task starts a transaction and\n   joins to the transaction that task A started. Then task B commits to\n   the transaction. In this commit, task B waits for a commit by task A.\n3) Task C as the qgroup rescan worker starts its job and starts a\n   transaction. In this transaction start, task C waits for completion\n   of the transaction that task A started and task B committed.\n\nThis deadlock was found with fstests test case btrfs/115 and a zoned\nnull_blk device. The test case enables and disables quota, and the\nblock group reclaim was triggered during the quota disable by chance.\nThe deadlock was also observed by running quota enable and disable in\nparallel with \u0027btrfs balance\u0027 command on regular null_blk devices.\n\nAn example report of the deadlock:\n\n  [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds.\n  [372.479944]       Not tainted 5.16.0-rc8 #7\n  [372.485067] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  [372.493898] task:kworker/u16:6   state:D stack:    0 pid:  103 ppid:     2 flags:0x00004000\n  [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs]\n  [372.510782] Call Trace:\n  [372.514092]  \u003cTASK\u003e\n  [372.521684]  __schedule+0xb56/0x4850\n  [372.530104]  ? io_schedule_timeout+0x190/0x190\n  [372.538842]  ? lockdep_hardirqs_on+0x7e/0x100\n  [372.547092]  ? _raw_spin_unlock_irqrestore+0x3e/0x60\n  [372.555591]  schedule+0xe0/0x270\n  [372.561894]  btrfs_commit_transaction+0x18bb/0x2610 [btrfs]\n  [372.570506]  ? btrfs_apply_pending_changes+0x50/0x50 [btrfs]\n  [372.578875]  ? free_unref_page+0x3f2/0x650\n  [372.585484]  ? finish_wait+0x270/0x270\n  [372.591594]  ? release_extent_buffer+0x224/0x420 [btrfs]\n  [372.599264]  btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs]\n  [372.607157]  ? lock_release+0x3a9/0x6d0\n  [372.613054]  ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs]\n  [372.620960]  ? do_raw_spin_lock+0x11e/0x250\n  [372.627137]  ? rwlock_bug.part.0+0x90/0x90\n  [372.633215]  ? lock_is_held_type+0xe4/0x140\n  [372.639404]  btrfs_work_helper+0x1ae/0xa90 [btrfs]\n  [372.646268]  process_one_work+0x7e9/0x1320\n  [372.652321]  ? lock_release+0x6d0/0x6d0\n  [372.658081]  ? pwq_dec_nr_in_flight+0x230/0x230\n  [372.664513]  ? rwlock_bug.part.0+0x90/0x90\n  [372.670529]  worker_thread+0x59e/0xf90\n  [372.676172]  ? process_one_work+0x1320/0x1320\n  [372.682440]  kthread+0x3b9/0x490\n  [372.687550]  ? _raw_spin_unlock_irq+0x24/0x50\n  [372.693811]  ? set_kthread_struct+0x100/0x100\n  [372.700052]  ret_from_fork+0x22/0x30\n  [372.705517]  \u003c/TASK\u003e\n  [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds.\n  [372.729827]       Not tainted 5.16.0-rc8 #7\n  [372.745907] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  [372.767106] task:btrfs-transacti state:D stack:    0 pid: 2347 ppid:     2 flags:0x00004000\n  [372.787776] Call Trace:\n  [372.801652]  \u003cTASK\u003e\n  [372.812961]  __schedule+0xb56/0x4850\n  [372.830011]  ? io_schedule_timeout+0x190/0x190\n  [372.852547]  ? lockdep_hardirqs_on+0x7e/0x100\n  [372.871761]  ? _raw_spin_unlock_irqrestore+0x3e/0x60\n  [372.886792]  schedule+0xe0/0x270\n  [372.901685]  wait_current_trans+0x22c/0x310 [btrfs]\n  [372.919743]  ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs]\n  [372.938923]  ? finish_wait+0x270/0x270\n  [372.959085]  ? join_transaction+0xc7\n---truncated---",
  "id": "GHSA-wrfr-rmr8-j7gx",
  "modified": "2024-08-19T18:32:03Z",
  "published": "2024-06-20T12:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48734"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26b3901d20bf9da2c6a00cb1fb48932166f80a45"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31198e58c09e21d4f65c49d2361f76b87aca4c3f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32747e01436aac8ef93fe85b5b523b4f3b52f040"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89d4cca583fc9594ee7d1a0bc986886d6fb587e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e804861bd4e69cc5fe1053eedcb024982dde8e48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.