ghsa-cxv9-gjhh-qgrr
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size

On zoned filesystem, data write out is limited by max_zone_append_size, and a large ordered extent is split according the size of a bio. OTOH, the number of extents to be written is calculated using BTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve the metadata bytes to update and/or create the metadata items.

The metadata reservation is done at e.g, btrfs_buffered_write() and then released according to the estimation changes. Thus, if the number of extent increases massively, the reserved metadata can run out.

The increase of the number of extents easily occurs on zoned filesystem if BTRFS_MAX_EXTENT_SIZE > max_zone_append_size. And, it causes the following warning on a small RAM environment with disabling metadata over-commit (in the following patch).

[75721.498492] ------------[ cut here ]------------ [75721.505624] BTRFS: block rsv 1 returned -28 [75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfs_use_block_rsv+0x560/0x760 [btrfs] [75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109 [75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 [75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] [75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs] [75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286 [75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000 [75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e [75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7 [75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28 [75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a [75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000 [75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0 [75721.730499] Call Trace: [75721.735166] [75721.739886] btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs] [75721.747545] ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs] [75721.756145] ? btrfs_get_32+0xea/0x2d0 [btrfs] [75721.762852] ? btrfs_get_32+0xea/0x2d0 [btrfs] [75721.769520] ? push_leaf_left+0x420/0x620 [btrfs] [75721.776431] ? memcpy+0x4e/0x60 [75721.781931] split_leaf+0x433/0x12d0 [btrfs] [75721.788392] ? btrfs_get_token_32+0x580/0x580 [btrfs] [75721.795636] ? push_for_double_split.isra.0+0x420/0x420 [btrfs] [75721.803759] ? leaf_space_used+0x15d/0x1a0 [btrfs] [75721.811156] btrfs_search_slot+0x1bc3/0x2790 [btrfs] [75721.818300] ? lock_downgrade+0x7c0/0x7c0 [75721.824411] ? free_extent_buffer.part.0+0x107/0x200 [btrfs] [75721.832456] ? split_leaf+0x12d0/0x12d0 [btrfs] [75721.839149] ? free_extent_buffer.part.0+0x14f/0x200 [btrfs] [75721.846945] ? free_extent_buffer+0x13/0x20 [btrfs] [75721.853960] ? btrfs_release_path+0x4b/0x190 [btrfs] [75721.861429] btrfs_csum_file_blocks+0x85c/0x1500 [btrfs] [75721.869313] ? rcu_read_lock_sched_held+0x16/0x80 [75721.876085] ? lock_release+0x552/0xf80 [75721.881957] ? btrfs_del_csums+0x8c0/0x8c0 [btrfs] [75721.888886] ? __kasan_check_write+0x14/0x20 [75721.895152] ? do_raw_read_unlock+0x44/0x80 [75721.901323] ? _raw_write_lock_irq+0x60/0x80 [75721.907983] ? btrfs_global_root+0xb9/0xe0 [btrfs] [75721.915166] ? btrfs_csum_root+0x12b/0x180 [btrfs] [75721.921918] ? btrfs_get_global_root+0x820/0x820 [btrfs] [75721.929166] ? _raw_write_unlock+0x23/0x40 [75721.935116] ? unpin_extent_cache+0x1e3/0x390 [btrfs] [75721.942041] btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs] [75721.949906] ? try_to_wake_up+0x30/0x14a0 [75721.955700] ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs] [75721.962661] ? rcu ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50090"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:38Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info-\u003emax_extent_size\n\nOn zoned filesystem, data write out is limited by max_zone_append_size,\nand a large ordered extent is split according the size of a bio. OTOH,\nthe number of extents to be written is calculated using\nBTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve the\nmetadata bytes to update and/or create the metadata items.\n\nThe metadata reservation is done at e.g, btrfs_buffered_write() and then\nreleased according to the estimation changes. Thus, if the number of extent\nincreases massively, the reserved metadata can run out.\n\nThe increase of the number of extents easily occurs on zoned filesystem\nif BTRFS_MAX_EXTENT_SIZE \u003e max_zone_append_size. And, it causes the\nfollowing warning on a small RAM environment with disabling metadata\nover-commit (in the following patch).\n\n[75721.498492] ------------[ cut here ]------------\n[75721.505624] BTRFS: block rsv 1 returned -28\n[75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfs_use_block_rsv+0x560/0x760 [btrfs]\n[75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G        W         5.18.0-rc2-BTRFS-ZNS+ #109\n[75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\n[75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n[75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs]\n[75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286\n[75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000\n[75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e\n[75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7\n[75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28\n[75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a\n[75721.701878] FS:  0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000\n[75721.712601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0\n[75721.730499] Call Trace:\n[75721.735166]  \u003cTASK\u003e\n[75721.739886]  btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs]\n[75721.747545]  ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs]\n[75721.756145]  ? btrfs_get_32+0xea/0x2d0 [btrfs]\n[75721.762852]  ? btrfs_get_32+0xea/0x2d0 [btrfs]\n[75721.769520]  ? push_leaf_left+0x420/0x620 [btrfs]\n[75721.776431]  ? memcpy+0x4e/0x60\n[75721.781931]  split_leaf+0x433/0x12d0 [btrfs]\n[75721.788392]  ? btrfs_get_token_32+0x580/0x580 [btrfs]\n[75721.795636]  ? push_for_double_split.isra.0+0x420/0x420 [btrfs]\n[75721.803759]  ? leaf_space_used+0x15d/0x1a0 [btrfs]\n[75721.811156]  btrfs_search_slot+0x1bc3/0x2790 [btrfs]\n[75721.818300]  ? lock_downgrade+0x7c0/0x7c0\n[75721.824411]  ? free_extent_buffer.part.0+0x107/0x200 [btrfs]\n[75721.832456]  ? split_leaf+0x12d0/0x12d0 [btrfs]\n[75721.839149]  ? free_extent_buffer.part.0+0x14f/0x200 [btrfs]\n[75721.846945]  ? free_extent_buffer+0x13/0x20 [btrfs]\n[75721.853960]  ? btrfs_release_path+0x4b/0x190 [btrfs]\n[75721.861429]  btrfs_csum_file_blocks+0x85c/0x1500 [btrfs]\n[75721.869313]  ? rcu_read_lock_sched_held+0x16/0x80\n[75721.876085]  ? lock_release+0x552/0xf80\n[75721.881957]  ? btrfs_del_csums+0x8c0/0x8c0 [btrfs]\n[75721.888886]  ? __kasan_check_write+0x14/0x20\n[75721.895152]  ? do_raw_read_unlock+0x44/0x80\n[75721.901323]  ? _raw_write_lock_irq+0x60/0x80\n[75721.907983]  ? btrfs_global_root+0xb9/0xe0 [btrfs]\n[75721.915166]  ? btrfs_csum_root+0x12b/0x180 [btrfs]\n[75721.921918]  ? btrfs_get_global_root+0x820/0x820 [btrfs]\n[75721.929166]  ? _raw_write_unlock+0x23/0x40\n[75721.935116]  ? unpin_extent_cache+0x1e3/0x390 [btrfs]\n[75721.942041]  btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs]\n[75721.949906]  ? try_to_wake_up+0x30/0x14a0\n[75721.955700]  ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs]\n[75721.962661]  ? rcu\n---truncated---",
  "id": "GHSA-cxv9-gjhh-qgrr",
  "modified": "2025-06-18T12:30:47Z",
  "published": "2025-06-18T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50090"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/096e8eb9639b342bc35f9b741cf05e26d0106e92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1aa262c1d056551dd1246115af8b7e351184deae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6cb4b96df97082a54634ba02196516919cda228c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7b12a62f008a3041f42f2426983e59a6a0a3c59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.