ghsa-w74v-3fr4-63jv
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted

Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata():

               jbd2_journal_commit_transaction

unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false

       --> jbd2 abort <--

                 while (commit_transaction->t_buffers)
                  if (is_journal_aborted)
                   jbd2_journal_refile_buffer
                    __jbd2_journal_refile_buffer
                     WRITE_ONCE(jh->b_transaction,
                    jh->b_next_transaction)
                     WRITE_ONCE(jh->b_next_transaction, NULL)
                     __jbd2_journal_file_buffer(jh, BJ_Reserved)
    J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure !

The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80

After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2022-50126"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:42Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix assertion \u0027jh-\u003eb_frozen_data == NULL\u0027 failure when journal aborted\n\nFollowing process will fail assertion \u0027jh-\u003eb_frozen_data == NULL\u0027 in\njbd2_journal_dirty_metadata():\n\n                   jbd2_journal_commit_transaction\nunlink(dir/a)\n jh-\u003eb_transaction = trans1\n jh-\u003eb_jlist = BJ_Metadata\n                    journal-\u003ej_running_transaction = NULL\n                    trans1-\u003et_state = T_COMMIT\nunlink(dir/b)\n handle-\u003eh_trans = trans2\n do_get_write_access\n  jh-\u003eb_modified = 0\n  jh-\u003eb_frozen_data = frozen_buffer\n  jh-\u003eb_next_transaction = trans2\n jbd2_journal_dirty_metadata\n  is_handle_aborted\n   is_journal_aborted // return false\n\n           --\u003e jbd2 abort \u003c--\n\n                     while (commit_transaction-\u003et_buffers)\n                      if (is_journal_aborted)\n                       jbd2_journal_refile_buffer\n                        __jbd2_journal_refile_buffer\n                         WRITE_ONCE(jh-\u003eb_transaction,\n\t\t\t\t\t\tjh-\u003eb_next_transaction)\n                         WRITE_ONCE(jh-\u003eb_next_transaction, NULL)\n                         __jbd2_journal_file_buffer(jh, BJ_Reserved)\n        J_ASSERT_JH(jh, jh-\u003eb_frozen_data == NULL) // assertion failure !\n\nThe reproducer (See detail in [Link]) reports:\n ------------[ cut here ]------------\n kernel BUG at fs/jbd2/transaction.c:1629!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 2 PID: 584 Comm: unlink Tainted: G        W\n 5.19.0-rc6-00115-g4a57a8400075-dirty #697\n RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470\n RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202\n Call Trace:\n  \u003cTASK\u003e\n  __ext4_handle_dirty_metadata+0xa0/0x290\n  ext4_handle_dirty_dirblock+0x10c/0x1d0\n  ext4_delete_entry+0x104/0x200\n  __ext4_unlink+0x22b/0x360\n  ext4_unlink+0x275/0x390\n  vfs_unlink+0x20b/0x4c0\n  do_unlinkat+0x42f/0x4c0\n  __x64_sys_unlink+0x37/0x50\n  do_syscall_64+0x35/0x80\n\nAfter journal aborting, __jbd2_journal_refile_buffer() is executed with\nholding @jh-\u003eb_state_lock, we can fix it by moving \u0027is_handle_aborted()\u0027\ninto the area protected by @jh-\u003eb_state_lock.",
  "id": "GHSA-w74v-3fr4-63jv",
  "modified": "2025-06-18T12:30:50Z",
  "published": "2025-06-18T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a734f0869f970b8a9b65062ea40b09a5da9dba8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6073389db83b903678a0920554fa19f5bdc51c48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/731c1662d838fe954c6759e3ee43229b0d928fe4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddd896792e1718cb84c96f3e618270589b6886dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e62f79827784f56499a50ea2e893c98317b5407b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7161d0da975adc234161cd0641d0e484f5ce375"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa5b65d39332fef7a11ae99cb1f0696012a61527"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…