fkie_cve-2022-50126
Vulnerability from fkie_nvd
Published
2025-06-18 11:15
Modified
2025-06-18 13:47
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false --> jbd2 abort <-- while (commit_transaction->t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh->b_transaction, jh->b_next_transaction) WRITE_ONCE(jh->b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: <TASK> __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix assertion \u0027jh-\u003eb_frozen_data == NULL\u0027 failure when journal aborted\n\nFollowing process will fail assertion \u0027jh-\u003eb_frozen_data == NULL\u0027 in\njbd2_journal_dirty_metadata():\n\n                   jbd2_journal_commit_transaction\nunlink(dir/a)\n jh-\u003eb_transaction = trans1\n jh-\u003eb_jlist = BJ_Metadata\n                    journal-\u003ej_running_transaction = NULL\n                    trans1-\u003et_state = T_COMMIT\nunlink(dir/b)\n handle-\u003eh_trans = trans2\n do_get_write_access\n  jh-\u003eb_modified = 0\n  jh-\u003eb_frozen_data = frozen_buffer\n  jh-\u003eb_next_transaction = trans2\n jbd2_journal_dirty_metadata\n  is_handle_aborted\n   is_journal_aborted // return false\n\n           --\u003e jbd2 abort \u003c--\n\n                     while (commit_transaction-\u003et_buffers)\n                      if (is_journal_aborted)\n                       jbd2_journal_refile_buffer\n                        __jbd2_journal_refile_buffer\n                         WRITE_ONCE(jh-\u003eb_transaction,\n\t\t\t\t\t\tjh-\u003eb_next_transaction)\n                         WRITE_ONCE(jh-\u003eb_next_transaction, NULL)\n                         __jbd2_journal_file_buffer(jh, BJ_Reserved)\n        J_ASSERT_JH(jh, jh-\u003eb_frozen_data == NULL) // assertion failure !\n\nThe reproducer (See detail in [Link]) reports:\n ------------[ cut here ]------------\n kernel BUG at fs/jbd2/transaction.c:1629!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 2 PID: 584 Comm: unlink Tainted: G        W\n 5.19.0-rc6-00115-g4a57a8400075-dirty #697\n RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470\n RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202\n Call Trace:\n  \u003cTASK\u003e\n  __ext4_handle_dirty_metadata+0xa0/0x290\n  ext4_handle_dirty_dirblock+0x10c/0x1d0\n  ext4_delete_entry+0x104/0x200\n  __ext4_unlink+0x22b/0x360\n  ext4_unlink+0x275/0x390\n  vfs_unlink+0x20b/0x4c0\n  do_unlinkat+0x42f/0x4c0\n  __x64_sys_unlink+0x37/0x50\n  do_syscall_64+0x35/0x80\n\nAfter journal aborting, __jbd2_journal_refile_buffer() is executed with\nholding @jh-\u003eb_state_lock, we can fix it by moving \u0027is_handle_aborted()\u0027\ninto the area protected by @jh-\u003eb_state_lock."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jbd2: se corrige el error de aserci\u00f3n \u0027jh-\u0026gt;b_frozen_data == NULL\u0027 cuando se aborta el diario El siguiente proceso fallar\u00e1 la aserci\u00f3n \u0027jh-\u0026gt;b_frozen_data == NULL\u0027 en jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh-\u0026gt;b_transaction = trans1 jh-\u0026gt;b_jlist = BJ_Metadata journal-\u0026gt;j_running_transaction = NULL trans1-\u0026gt;t_state = T_COMMIT unlink(dir/b) handle-\u0026gt;h_trans = trans2 do_get_write_access jh-\u0026gt;b_modified = 0 jh-\u0026gt;b_frozen_data = frozen_buffer jh-\u0026gt;b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // devuelve falso --\u0026gt; jbd2 abort \u0026lt;-- while (commit_transaction-\u0026gt;t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh-\u0026gt;b_transaction, jh-\u0026gt;b_next_transaction) WRITE_ONCE(jh-\u0026gt;b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh-\u0026gt;b_frozen_data == NULL) // \u00a1Fallo de aserci\u00f3n! El reproductor (ver detalles en [Enlace]) informa: ------------[ cortar aqu\u00ed ]------------ \u00a1ERROR del kernel en fs/jbd2/transaction.c:1629! c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: desvincular Contaminado: GW 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Rastreo de llamadas:  __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 Despu\u00e9s de abortar el diario, se ejecuta __jbd2_journal_refile_buffer() manteniendo presionado @jh-\u0026gt;b_state_lock. Podemos solucionarlo moviendo \u0027is_handle_aborted()\u0027 al \u00e1rea protegida por @jh-\u0026gt;b_state_lock."
    }
  ],
  "id": "CVE-2022-50126",
  "lastModified": "2025-06-18T13:47:40.833",
  "metrics": {},
  "published": "2025-06-18T11:15:42.360",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.