CVE-2022-48901 (GCVE-0-2022-48901)

Vulnerability from cvelistv5 – Published: 2024-08-22 01:30 – Updated: 2025-12-23 13:21
VLAI?
Title
btrfs: do not start relocation until in progress drops are done
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not start relocation until in progress drops are done We hit a bug with a recovering relocation on mount for one of our file systems in production. I reproduced this locally by injecting errors into snapshot delete with balance running at the same time. This presented as an error while looking up an extent item WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: <TASK> insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex. However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot. Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot. Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key. If they do then we know we were in the middle of the drop operation and set a flag on the fs_info. Then balance can wait until this flag is cleared to start up again. If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c , < 6599d5e8bd758d897fd2ef4dc388ae50278b1f7e (git)
Affected: 9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c , < 5e70bc827b563caf22e1203428cc3719643de5aa (git)
Affected: 9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c , < b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef (git)
Create a notification for this product.
    Linux Linux Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.15.27 , ≤ 5.15.* (semver)
Unaffected: 5.16.13 , ≤ 5.16.* (semver)
Unaffected: 5.17 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:34:33.459779Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:02.805Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.h",
            "fs/btrfs/disk-io.c",
            "fs/btrfs/extent-tree.c",
            "fs/btrfs/relocation.c",
            "fs/btrfs/root-tree.c",
            "fs/btrfs/transaction.c",
            "fs/btrfs/transaction.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6599d5e8bd758d897fd2ef4dc388ae50278b1f7e",
              "status": "affected",
              "version": "9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c",
              "versionType": "git"
            },
            {
              "lessThan": "5e70bc827b563caf22e1203428cc3719643de5aa",
              "status": "affected",
              "version": "9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c",
              "versionType": "git"
            },
            {
              "lessThan": "b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef",
              "status": "affected",
              "version": "9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ctree.h",
            "fs/btrfs/disk-io.c",
            "fs/btrfs/extent-tree.c",
            "fs/btrfs/relocation.c",
            "fs/btrfs/root-tree.c",
            "fs/btrfs/transaction.c",
            "fs/btrfs/transaction.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.27",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not start relocation until in progress drops are done\n\nWe hit a bug with a recovering relocation on mount for one of our file\nsystems in production.  I reproduced this locally by injecting errors\ninto snapshot delete with balance running at the same time.  This\npresented as an error while looking up an extent item\n\n  WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680\n  CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8\n  RIP: 0010:lookup_inline_extent_backref+0x647/0x680\n  RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202\n  RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000\n  RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001\n  R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000\n  R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000\n  FS:  0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0\n  Call Trace:\n   \u003cTASK\u003e\n   insert_inline_extent_backref+0x46/0xd0\n   __btrfs_inc_extent_ref.isra.0+0x5f/0x200\n   ? btrfs_merge_delayed_refs+0x164/0x190\n   __btrfs_run_delayed_refs+0x561/0xfa0\n   ? btrfs_search_slot+0x7b4/0xb30\n   ? btrfs_update_root+0x1a9/0x2c0\n   btrfs_run_delayed_refs+0x73/0x1f0\n   ? btrfs_update_root+0x1a9/0x2c0\n   btrfs_commit_transaction+0x50/0xa50\n   ? btrfs_update_reloc_root+0x122/0x220\n   prepare_to_merge+0x29f/0x320\n   relocate_block_group+0x2b8/0x550\n   btrfs_relocate_block_group+0x1a6/0x350\n   btrfs_relocate_chunk+0x27/0xe0\n   btrfs_balance+0x777/0xe60\n   balance_kthread+0x35/0x50\n   ? btrfs_balance+0xe60/0xe60\n   kthread+0x16b/0x190\n   ? set_kthread_struct+0x40/0x40\n   ret_from_fork+0x22/0x30\n   \u003c/TASK\u003e\n\nNormally snapshot deletion and relocation are excluded from running at\nthe same time by the fs_info-\u003ecleaner_mutex.  However if we had a\npending balance waiting to get the -\u003ecleaner_mutex, and a snapshot\ndeletion was running, and then the box crashed, we would come up in a\nstate where we have a half deleted snapshot.\n\nAgain, in the normal case the snapshot deletion needs to complete before\nrelocation can start, but in this case relocation could very well start\nbefore the snapshot deletion completes, as we simply add the root to the\ndead roots list and wait for the next time the cleaner runs to clean up\nthe snapshot.\n\nFix this by setting a bit on the fs_info if we have any DEAD_ROOT\u0027s that\nhad a pending drop_progress key.  If they do then we know we were in the\nmiddle of the drop operation and set a flag on the fs_info.  Then\nbalance can wait until this flag is cleared to start up again.\n\nIf there are DEAD_ROOT\u0027s that don\u0027t have a drop_progress set then we\u0027re\nsafe to start balance right away as we\u0027ll be properly protected by the\ncleaner_mutex."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:21:04.374Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6599d5e8bd758d897fd2ef4dc388ae50278b1f7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e70bc827b563caf22e1203428cc3719643de5aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef"
        }
      ],
      "title": "btrfs: do not start relocation until in progress drops are done",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48901",
    "datePublished": "2024-08-22T01:30:15.942Z",
    "dateReserved": "2024-08-21T06:06:23.291Z",
    "dateUpdated": "2025-12-23T13:21:04.374Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48901\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:34:33.459779Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:12.931Z\"}}], \"cna\": {\"title\": \"btrfs: do not start relocation until in progress drops are done\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c\", \"lessThan\": \"6599d5e8bd758d897fd2ef4dc388ae50278b1f7e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c\", \"lessThan\": \"5e70bc827b563caf22e1203428cc3719643de5aa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9d1a2a3ad59f7ae810bf04a5a05995bf2d79300c\", \"lessThan\": \"b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/btrfs/ctree.h\", \"fs/btrfs/disk-io.c\", \"fs/btrfs/extent-tree.c\", \"fs/btrfs/relocation.c\", \"fs/btrfs/root-tree.c\", \"fs/btrfs/transaction.c\", \"fs/btrfs/transaction.h\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"3.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.27\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/btrfs/ctree.h\", \"fs/btrfs/disk-io.c\", \"fs/btrfs/extent-tree.c\", \"fs/btrfs/relocation.c\", \"fs/btrfs/root-tree.c\", \"fs/btrfs/transaction.c\", \"fs/btrfs/transaction.h\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/6599d5e8bd758d897fd2ef4dc388ae50278b1f7e\"}, {\"url\": \"https://git.kernel.org/stable/c/5e70bc827b563caf22e1203428cc3719643de5aa\"}, {\"url\": \"https://git.kernel.org/stable/c/b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: do not start relocation until in progress drops are done\\n\\nWe hit a bug with a recovering relocation on mount for one of our file\\nsystems in production.  I reproduced this locally by injecting errors\\ninto snapshot delete with balance running at the same time.  This\\npresented as an error while looking up an extent item\\n\\n  WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680\\n  CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8\\n  RIP: 0010:lookup_inline_extent_backref+0x647/0x680\\n  RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202\\n  RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000\\n  RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000\\n  RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001\\n  R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000\\n  R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000\\n  FS:  0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0\\n  Call Trace:\\n   \u003cTASK\u003e\\n   insert_inline_extent_backref+0x46/0xd0\\n   __btrfs_inc_extent_ref.isra.0+0x5f/0x200\\n   ? btrfs_merge_delayed_refs+0x164/0x190\\n   __btrfs_run_delayed_refs+0x561/0xfa0\\n   ? btrfs_search_slot+0x7b4/0xb30\\n   ? btrfs_update_root+0x1a9/0x2c0\\n   btrfs_run_delayed_refs+0x73/0x1f0\\n   ? btrfs_update_root+0x1a9/0x2c0\\n   btrfs_commit_transaction+0x50/0xa50\\n   ? btrfs_update_reloc_root+0x122/0x220\\n   prepare_to_merge+0x29f/0x320\\n   relocate_block_group+0x2b8/0x550\\n   btrfs_relocate_block_group+0x1a6/0x350\\n   btrfs_relocate_chunk+0x27/0xe0\\n   btrfs_balance+0x777/0xe60\\n   balance_kthread+0x35/0x50\\n   ? btrfs_balance+0xe60/0xe60\\n   kthread+0x16b/0x190\\n   ? set_kthread_struct+0x40/0x40\\n   ret_from_fork+0x22/0x30\\n   \u003c/TASK\u003e\\n\\nNormally snapshot deletion and relocation are excluded from running at\\nthe same time by the fs_info-\u003ecleaner_mutex.  However if we had a\\npending balance waiting to get the -\u003ecleaner_mutex, and a snapshot\\ndeletion was running, and then the box crashed, we would come up in a\\nstate where we have a half deleted snapshot.\\n\\nAgain, in the normal case the snapshot deletion needs to complete before\\nrelocation can start, but in this case relocation could very well start\\nbefore the snapshot deletion completes, as we simply add the root to the\\ndead roots list and wait for the next time the cleaner runs to clean up\\nthe snapshot.\\n\\nFix this by setting a bit on the fs_info if we have any DEAD_ROOT\u0027s that\\nhad a pending drop_progress key.  If they do then we know we were in the\\nmiddle of the drop operation and set a flag on the fs_info.  Then\\nbalance can wait until this flag is cleared to start up again.\\n\\nIf there are DEAD_ROOT\u0027s that don\u0027t have a drop_progress set then we\u0027re\\nsafe to start balance right away as we\u0027ll be properly protected by the\\ncleaner_mutex.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.27\", \"versionStartIncluding\": \"3.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16.13\", \"versionStartIncluding\": \"3.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17\", \"versionStartIncluding\": \"3.10\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-12-23T13:21:04.374Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48901\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-23T13:21:04.374Z\", \"dateReserved\": \"2024-08-21T06:06:23.291Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-22T01:30:15.942Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.