CVE-2022-50089 (GCVE-0-2022-50089)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure pages are unlocked on cow_file_range() failure There is a hung_task report on zoned btrfs like below. https://github.com/naota/linux/issues/59 [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds. [726.329839] Not tainted 5.16.0-rc1+ #1 [726.330484] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [726.331603] task:rocksdb:high0 state:D stack: 0 pid:11085 ppid: 11082 flags:0x00000000 [726.331608] Call Trace: [726.331611] <TASK> [726.331614] __schedule+0x2e5/0x9d0 [726.331622] schedule+0x58/0xd0 [726.331626] io_schedule+0x3f/0x70 [726.331629] __folio_lock+0x125/0x200 [726.331634] ? find_get_entries+0x1bc/0x240 [726.331638] ? filemap_invalidate_unlock_two+0x40/0x40 [726.331642] truncate_inode_pages_range+0x5b2/0x770 [726.331649] truncate_inode_pages_final+0x44/0x50 [726.331653] btrfs_evict_inode+0x67/0x480 [726.331658] evict+0xd0/0x180 [726.331661] iput+0x13f/0x200 [726.331664] do_unlinkat+0x1c0/0x2b0 [726.331668] __x64_sys_unlink+0x23/0x30 [726.331670] do_syscall_64+0x3b/0xc0 [726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae [726.331677] RIP: 0033:0x7fb9490a171b [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300 [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000 [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000 [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260 [726.331693] </TASK> While we debug the issue, we found running fstests generic/551 on 5GB non-zoned null_blk device in the emulated zoned mode also had a similar hung issue. Also, we can reproduce the same symptom with an error injected cow_file_range() setup. The hang occurs when cow_file_range() fails in the middle of allocation. cow_file_range() called from do_allocation_zoned() can split the give region ([start, end]) for allocation depending on current block group usages. When btrfs can allocate bytes for one part of the split regions but fails for the other region (e.g. because of -ENOSPC), we return the error leaving the pages in the succeeded regions locked. Technically, this occurs only when @unlock == 0. Otherwise, we unlock the pages in an allocated region after creating an ordered extent. Considering the callers of cow_file_range(unlock=0) won't write out the pages, we can unlock the pages on error exit from cow_file_range(). So, we can ensure all the pages except @locked_page are unlocked on error case. In summary, cow_file_range now behaves like this: - page_started == 1 (return value) - All the pages are unlocked. IO is started. - unlock == 1 - All the pages except @locked_page are unlocked in any case - unlock == 0 - On success, all the pages are locked for writing out them - On failure, all the pages except @locked_page are unlocked
References
Impacted products
Vendor Product Version
Linux Linux Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b367f125c80fa838eae49e3b138dc67dfc9f46ef",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "9535ec371d741fa037e37eddc0a5b25ba82d0027",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "e160aa87c87a9c4e0c8d1430235f715a3a91e2cd",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "9ce7466f372d83054c7494f6b3e4b9abaf3f0355",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.61",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.18",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure pages are unlocked on cow_file_range() failure\n\nThere is a hung_task report on zoned btrfs like below.\n\nhttps://github.com/naota/linux/issues/59\n\n  [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\n  [726.329839]       Not tainted 5.16.0-rc1+ #1\n  [726.330484] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  [726.331603] task:rocksdb:high0   state:D stack:    0 pid:11085 ppid: 11082 flags:0x00000000\n  [726.331608] Call Trace:\n  [726.331611]  \u003cTASK\u003e\n  [726.331614]  __schedule+0x2e5/0x9d0\n  [726.331622]  schedule+0x58/0xd0\n  [726.331626]  io_schedule+0x3f/0x70\n  [726.331629]  __folio_lock+0x125/0x200\n  [726.331634]  ? find_get_entries+0x1bc/0x240\n  [726.331638]  ? filemap_invalidate_unlock_two+0x40/0x40\n  [726.331642]  truncate_inode_pages_range+0x5b2/0x770\n  [726.331649]  truncate_inode_pages_final+0x44/0x50\n  [726.331653]  btrfs_evict_inode+0x67/0x480\n  [726.331658]  evict+0xd0/0x180\n  [726.331661]  iput+0x13f/0x200\n  [726.331664]  do_unlinkat+0x1c0/0x2b0\n  [726.331668]  __x64_sys_unlink+0x23/0x30\n  [726.331670]  do_syscall_64+0x3b/0xc0\n  [726.331674]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n  [726.331677] RIP: 0033:0x7fb9490a171b\n  [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\n  [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\n  [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\n  [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\n  [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\n  [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\n  [726.331693]  \u003c/TASK\u003e\n\nWhile we debug the issue, we found running fstests generic/551 on 5GB\nnon-zoned null_blk device in the emulated zoned mode also had a\nsimilar hung issue.\n\nAlso, we can reproduce the same symptom with an error injected\ncow_file_range() setup.\n\nThe hang occurs when cow_file_range() fails in the middle of\nallocation. cow_file_range() called from do_allocation_zoned() can\nsplit the give region ([start, end]) for allocation depending on\ncurrent block group usages. When btrfs can allocate bytes for one part\nof the split regions but fails for the other region (e.g. because of\n-ENOSPC), we return the error leaving the pages in the succeeded regions\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\nunlock the pages in an allocated region after creating an ordered\nextent.\n\nConsidering the callers of cow_file_range(unlock=0) won\u0027t write out\nthe pages, we can unlock the pages on error exit from\ncow_file_range(). So, we can ensure all the pages except @locked_page\nare unlocked on error case.\n\nIn summary, cow_file_range now behaves like this:\n\n- page_started == 1 (return value)\n  - All the pages are unlocked. IO is started.\n- unlock == 1\n  - All the pages except @locked_page are unlocked in any case\n- unlock == 0\n  - On success, all the pages are locked for writing out them\n  - On failure, all the pages except @locked_page are unlocked"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:02:29.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027"
        },
        {
          "url": "https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355"
        }
      ],
      "title": "btrfs: ensure pages are unlocked on cow_file_range() failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50089",
    "datePublished": "2025-06-18T11:02:29.451Z",
    "dateReserved": "2025-06-18T10:57:27.410Z",
    "dateUpdated": "2025-06-18T11:02:29.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50089\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:38.023\",\"lastModified\":\"2025-06-18T13:47:40.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: ensure pages are unlocked on cow_file_range() failure\\n\\nThere is a hung_task report on zoned btrfs like below.\\n\\nhttps://github.com/naota/linux/issues/59\\n\\n  [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\\n  [726.329839]       Not tainted 5.16.0-rc1+ #1\\n  [726.330484] \\\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n  [726.331603] task:rocksdb:high0   state:D stack:    0 pid:11085 ppid: 11082 flags:0x00000000\\n  [726.331608] Call Trace:\\n  [726.331611]  \u003cTASK\u003e\\n  [726.331614]  __schedule+0x2e5/0x9d0\\n  [726.331622]  schedule+0x58/0xd0\\n  [726.331626]  io_schedule+0x3f/0x70\\n  [726.331629]  __folio_lock+0x125/0x200\\n  [726.331634]  ? find_get_entries+0x1bc/0x240\\n  [726.331638]  ? filemap_invalidate_unlock_two+0x40/0x40\\n  [726.331642]  truncate_inode_pages_range+0x5b2/0x770\\n  [726.331649]  truncate_inode_pages_final+0x44/0x50\\n  [726.331653]  btrfs_evict_inode+0x67/0x480\\n  [726.331658]  evict+0xd0/0x180\\n  [726.331661]  iput+0x13f/0x200\\n  [726.331664]  do_unlinkat+0x1c0/0x2b0\\n  [726.331668]  __x64_sys_unlink+0x23/0x30\\n  [726.331670]  do_syscall_64+0x3b/0xc0\\n  [726.331674]  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n  [726.331677] RIP: 0033:0x7fb9490a171b\\n  [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\\n  [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\\n  [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\\n  [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\\n  [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\\n  [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\\n  [726.331693]  \u003c/TASK\u003e\\n\\nWhile we debug the issue, we found running fstests generic/551 on 5GB\\nnon-zoned null_blk device in the emulated zoned mode also had a\\nsimilar hung issue.\\n\\nAlso, we can reproduce the same symptom with an error injected\\ncow_file_range() setup.\\n\\nThe hang occurs when cow_file_range() fails in the middle of\\nallocation. cow_file_range() called from do_allocation_zoned() can\\nsplit the give region ([start, end]) for allocation depending on\\ncurrent block group usages. When btrfs can allocate bytes for one part\\nof the split regions but fails for the other region (e.g. because of\\n-ENOSPC), we return the error leaving the pages in the succeeded regions\\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\\nunlock the pages in an allocated region after creating an ordered\\nextent.\\n\\nConsidering the callers of cow_file_range(unlock=0) won\u0027t write out\\nthe pages, we can unlock the pages on error exit from\\ncow_file_range(). So, we can ensure all the pages except @locked_page\\nare unlocked on error case.\\n\\nIn summary, cow_file_range now behaves like this:\\n\\n- page_started == 1 (return value)\\n  - All the pages are unlocked. IO is started.\\n- unlock == 1\\n  - All the pages except @locked_page are unlocked in any case\\n- unlock == 0\\n  - On success, all the pages are locked for writing out them\\n  - On failure, all the pages except @locked_page are unlocked\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: garantizar que las p\u00e1ginas se desbloqueen en caso de fallo de cow_file_range() Hay un informe de hung_task en btrfs zonificados como el que se muestra a continuaci\u00f3n. https://github.com/naota/linux/issues/59 [726.328648] INFORMACI\u00d3N: la tarea rocksdb:high0:11085 se bloque\u00f3 durante m\u00e1s de 241 segundos. [726.329839] No contaminado 5.16.0-rc1+ #1 [726.330484] \\\"echo 0 \u0026gt; /proc/sys/kernel/hung_task_timeout_secs\\\" deshabilita este mensaje. [726.331603] tarea:rocksdb:high0 estado:D pila: 0 pid:11085 ppid: 11082 indicadores:0x00000000 [726.331608] Seguimiento de llamadas: [726.331611]   [726.331614] __schedule+0x2e5/0x9d0 [726.331622] schedule+0x58/0xd0 [726.331626] io_schedule+0x3f/0x70 [726.331629] __folio_lock+0x125/0x200 [726.331634] ? find_get_entries+0x1bc/0x240 [726.331638] ? filemap_invalidate_unlock_two+0x40/0x40 [726.331642] truncate_inode_pages_range+0x5b2/0x770 [726.331649] truncate_inode_pages_final+0x44/0x50 [726.331653] btrfs_evict_inode+0x67/0x480 [726.331658] evict+0xd0/0x180 [726.331661] iput+0x13f/0x200 [726.331664] do_unlinkat+0x1c0/0x2b0 [726.331668] __x64_sys_unlink+0x23/0x30 [726.331670] do_syscall_64+0x3b/0xc0 [726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae [726.331677] RIP: 0033:0x7fb9490a171b [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300 [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000 [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000 [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260 [726.331693]  Mientras depur\u00e1bamos el problema, encontramos que ejecutar fstests generic/551 en un dispositivo null_blk sin zona de 5 GB en el modo de zona emulada tambi\u00e9n ten\u00eda un problema de bloqueo similar. Adem\u00e1s, podemos reproducir el mismo s\u00edntoma con un error inyectado en la configuraci\u00f3n de cow_file_range(). El bloqueo ocurre cuando cow_file_range() falla en medio de la asignaci\u00f3n. cow_file_range() llamado desde do_allocation_zoned() puede dividir la regi\u00f3n dada ([inicio, fin]) para la asignaci\u00f3n dependiendo de los usos actuales del grupo de bloques. Cuando btrfs puede asignar bytes para una parte de las regiones divididas pero falla para la otra regi\u00f3n (por ejemplo, debido a -ENOSPC), devolvemos el error dejando bloqueadas las p\u00e1ginas en las regiones exitosas. T\u00e9cnicamente, esto solo ocurre cuando @unlock == 0. De lo contrario, desbloqueamos las p\u00e1ginas en una regi\u00f3n asignada tras crear una extensi\u00f3n ordenada. Dado que quienes llaman a cow_file_range(unlock=0) no escribir\u00e1n las p\u00e1ginas, podemos desbloquearlas al salir de cow_file_range() en caso de error. Por lo tanto, podemos asegurar que todas las p\u00e1ginas, excepto @locked_page, se desbloqueen en caso de error. En resumen, cow_file_range ahora se comporta as\u00ed: - page_started == 1 (valor de retorno): todas las p\u00e1ginas est\u00e1n desbloqueadas. Se inicia la E/S. - unlock == 1: todas las p\u00e1ginas, excepto @locked_page, se desbloquean en cualquier caso. - unlock == 0: en caso de \u00e9xito, todas las p\u00e1ginas est\u00e1n bloqueadas para su escritura. - en caso de error, todas las p\u00e1ginas, excepto @locked_page, se desbloquean.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.