CVE-2022-50089 (GCVE-0-2022-50089)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure pages are unlocked on cow_file_range() failure There is a hung_task report on zoned btrfs like below. https://github.com/naota/linux/issues/59 [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds. [726.329839] Not tainted 5.16.0-rc1+ #1 [726.330484] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [726.331603] task:rocksdb:high0 state:D stack: 0 pid:11085 ppid: 11082 flags:0x00000000 [726.331608] Call Trace: [726.331611] <TASK> [726.331614] __schedule+0x2e5/0x9d0 [726.331622] schedule+0x58/0xd0 [726.331626] io_schedule+0x3f/0x70 [726.331629] __folio_lock+0x125/0x200 [726.331634] ? find_get_entries+0x1bc/0x240 [726.331638] ? filemap_invalidate_unlock_two+0x40/0x40 [726.331642] truncate_inode_pages_range+0x5b2/0x770 [726.331649] truncate_inode_pages_final+0x44/0x50 [726.331653] btrfs_evict_inode+0x67/0x480 [726.331658] evict+0xd0/0x180 [726.331661] iput+0x13f/0x200 [726.331664] do_unlinkat+0x1c0/0x2b0 [726.331668] __x64_sys_unlink+0x23/0x30 [726.331670] do_syscall_64+0x3b/0xc0 [726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae [726.331677] RIP: 0033:0x7fb9490a171b [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300 [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000 [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000 [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260 [726.331693] </TASK> While we debug the issue, we found running fstests generic/551 on 5GB non-zoned null_blk device in the emulated zoned mode also had a similar hung issue. Also, we can reproduce the same symptom with an error injected cow_file_range() setup. The hang occurs when cow_file_range() fails in the middle of allocation. cow_file_range() called from do_allocation_zoned() can split the give region ([start, end]) for allocation depending on current block group usages. When btrfs can allocate bytes for one part of the split regions but fails for the other region (e.g. because of -ENOSPC), we return the error leaving the pages in the succeeded regions locked. Technically, this occurs only when @unlock == 0. Otherwise, we unlock the pages in an allocated region after creating an ordered extent. Considering the callers of cow_file_range(unlock=0) won't write out the pages, we can unlock the pages on error exit from cow_file_range(). So, we can ensure all the pages except @locked_page are unlocked on error case. In summary, cow_file_range now behaves like this: - page_started == 1 (return value) - All the pages are unlocked. IO is started. - unlock == 1 - All the pages except @locked_page are unlocked in any case - unlock == 0 - On success, all the pages are locked for writing out them - On failure, all the pages except @locked_page are unlocked
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd
Impacted products
Vendor Product Version
Linux Linux Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
Version: 42c011000963442ce533d92a492c4a057b2f5a46
 Create a notification for this product.
   Linux Linux Version: 5.12
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b367f125c80fa838eae49e3b138dc67dfc9f46ef",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "9535ec371d741fa037e37eddc0a5b25ba82d0027",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "e160aa87c87a9c4e0c8d1430235f715a3a91e2cd",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            },
            {
              "lessThan": "9ce7466f372d83054c7494f6b3e4b9abaf3f0355",
              "status": "affected",
              "version": "42c011000963442ce533d92a492c4a057b2f5a46",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.61",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.18",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure pages are unlocked on cow_file_range() failure\n\nThere is a hung_task report on zoned btrfs like below.\n\nhttps://github.com/naota/linux/issues/59\n\n  [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\n  [726.329839]       Not tainted 5.16.0-rc1+ #1\n  [726.330484] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  [726.331603] task:rocksdb:high0   state:D stack:    0 pid:11085 ppid: 11082 flags:0x00000000\n  [726.331608] Call Trace:\n  [726.331611]  \u003cTASK\u003e\n  [726.331614]  __schedule+0x2e5/0x9d0\n  [726.331622]  schedule+0x58/0xd0\n  [726.331626]  io_schedule+0x3f/0x70\n  [726.331629]  __folio_lock+0x125/0x200\n  [726.331634]  ? find_get_entries+0x1bc/0x240\n  [726.331638]  ? filemap_invalidate_unlock_two+0x40/0x40\n  [726.331642]  truncate_inode_pages_range+0x5b2/0x770\n  [726.331649]  truncate_inode_pages_final+0x44/0x50\n  [726.331653]  btrfs_evict_inode+0x67/0x480\n  [726.331658]  evict+0xd0/0x180\n  [726.331661]  iput+0x13f/0x200\n  [726.331664]  do_unlinkat+0x1c0/0x2b0\n  [726.331668]  __x64_sys_unlink+0x23/0x30\n  [726.331670]  do_syscall_64+0x3b/0xc0\n  [726.331674]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n  [726.331677] RIP: 0033:0x7fb9490a171b\n  [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\n  [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\n  [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\n  [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\n  [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\n  [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\n  [726.331693]  \u003c/TASK\u003e\n\nWhile we debug the issue, we found running fstests generic/551 on 5GB\nnon-zoned null_blk device in the emulated zoned mode also had a\nsimilar hung issue.\n\nAlso, we can reproduce the same symptom with an error injected\ncow_file_range() setup.\n\nThe hang occurs when cow_file_range() fails in the middle of\nallocation. cow_file_range() called from do_allocation_zoned() can\nsplit the give region ([start, end]) for allocation depending on\ncurrent block group usages. When btrfs can allocate bytes for one part\nof the split regions but fails for the other region (e.g. because of\n-ENOSPC), we return the error leaving the pages in the succeeded regions\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\nunlock the pages in an allocated region after creating an ordered\nextent.\n\nConsidering the callers of cow_file_range(unlock=0) won\u0027t write out\nthe pages, we can unlock the pages on error exit from\ncow_file_range(). So, we can ensure all the pages except @locked_page\nare unlocked on error case.\n\nIn summary, cow_file_range now behaves like this:\n\n- page_started == 1 (return value)\n  - All the pages are unlocked. IO is started.\n- unlock == 1\n  - All the pages except @locked_page are unlocked in any case\n- unlock == 0\n  - On success, all the pages are locked for writing out them\n  - On failure, all the pages except @locked_page are unlocked"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:02:29.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027"
        },
        {
          "url": "https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355"
        }
      ],
      "title": "btrfs: ensure pages are unlocked on cow_file_range() failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50089",
    "datePublished": "2025-06-18T11:02:29.451Z",
    "dateReserved": "2025-06-18T10:57:27.410Z",
    "dateUpdated": "2025-06-18T11:02:29.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50089\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:38.023\",\"lastModified\":\"2025-06-18T13:47:40.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: ensure pages are unlocked on cow_file_range() failure\\n\\nThere is a hung_task report on zoned btrfs like below.\\n\\nhttps://github.com/naota/linux/issues/59\\n\\n  [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\\n  [726.329839]       Not tainted 5.16.0-rc1+ #1\\n  [726.330484] \\\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\\\" disables this message.\\n  [726.331603] task:rocksdb:high0   state:D stack:    0 pid:11085 ppid: 11082 flags:0x00000000\\n  [726.331608] Call Trace:\\n  [726.331611]  \u003cTASK\u003e\\n  [726.331614]  __schedule+0x2e5/0x9d0\\n  [726.331622]  schedule+0x58/0xd0\\n  [726.331626]  io_schedule+0x3f/0x70\\n  [726.331629]  __folio_lock+0x125/0x200\\n  [726.331634]  ? find_get_entries+0x1bc/0x240\\n  [726.331638]  ? filemap_invalidate_unlock_two+0x40/0x40\\n  [726.331642]  truncate_inode_pages_range+0x5b2/0x770\\n  [726.331649]  truncate_inode_pages_final+0x44/0x50\\n  [726.331653]  btrfs_evict_inode+0x67/0x480\\n  [726.331658]  evict+0xd0/0x180\\n  [726.331661]  iput+0x13f/0x200\\n  [726.331664]  do_unlinkat+0x1c0/0x2b0\\n  [726.331668]  __x64_sys_unlink+0x23/0x30\\n  [726.331670]  do_syscall_64+0x3b/0xc0\\n  [726.331674]  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n  [726.331677] RIP: 0033:0x7fb9490a171b\\n  [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\\n  [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\\n  [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\\n  [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\\n  [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\\n  [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\\n  [726.331693]  \u003c/TASK\u003e\\n\\nWhile we debug the issue, we found running fstests generic/551 on 5GB\\nnon-zoned null_blk device in the emulated zoned mode also had a\\nsimilar hung issue.\\n\\nAlso, we can reproduce the same symptom with an error injected\\ncow_file_range() setup.\\n\\nThe hang occurs when cow_file_range() fails in the middle of\\nallocation. cow_file_range() called from do_allocation_zoned() can\\nsplit the give region ([start, end]) for allocation depending on\\ncurrent block group usages. When btrfs can allocate bytes for one part\\nof the split regions but fails for the other region (e.g. because of\\n-ENOSPC), we return the error leaving the pages in the succeeded regions\\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\\nunlock the pages in an allocated region after creating an ordered\\nextent.\\n\\nConsidering the callers of cow_file_range(unlock=0) won\u0027t write out\\nthe pages, we can unlock the pages on error exit from\\ncow_file_range(). So, we can ensure all the pages except @locked_page\\nare unlocked on error case.\\n\\nIn summary, cow_file_range now behaves like this:\\n\\n- page_started == 1 (return value)\\n  - All the pages are unlocked. IO is started.\\n- unlock == 1\\n  - All the pages except @locked_page are unlocked in any case\\n- unlock == 0\\n  - On success, all the pages are locked for writing out them\\n  - On failure, all the pages except @locked_page are unlocked\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.