CVE-2022-48664: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when stopping a space reclaim worker Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this: Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: <TASK> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel: </TASK> What happens is the following: 1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work); 2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---
AI Analysis
Technical Summary
CVE-2022-48664 is a vulnerability in the Linux kernel's Btrfs filesystem implementation that causes a system hang during unmount operations. The issue arises when the Btrfs space reclaim worker thread attempts to delete an unused block group but cannot immediately satisfy the required metadata reservation. This triggers the creation of a reservation ticket and starts an asynchronous metadata reclaim task. Concurrently, writeback operations for numerous small (2KB) filler inodes attempt to create inline extents but fail due to lack of space (-ENOSPC). The fallback to non-inline extents and subsequent extent reservations exacerbate the contention. This leads to a deadlock scenario where the unmount process is blocked indefinitely, as the kernel waits on workqueue flushes and transaction completions that cannot proceed due to resource contention. The kernel logs show the umount task blocked for over 120 seconds with a stack trace indicating waits on scheduling and workqueue flushing functions. This vulnerability affects Linux kernel versions containing the specified commits and manifests primarily during heavy metadata operations on Btrfs filesystems, such as those simulated by fstests generic/562. Although it does not lead to code execution or data corruption directly, the hang can cause denial of service (DoS) by making the filesystem unresponsive during unmount, potentially impacting system stability and availability. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability can lead to system hangs during unmount operations, causing denial of service conditions. This is particularly critical for environments with high filesystem metadata activity or automated testing scenarios that stress Btrfs, such as data centers, cloud providers, and enterprises using Btrfs for storage management. The inability to unmount filesystems cleanly can disrupt maintenance, backups, and system updates, potentially leading to downtime. In multi-tenant or virtualized environments, this could affect multiple users or services simultaneously. While it does not appear to compromise confidentiality or integrity, the availability impact can be significant, especially for critical infrastructure or services requiring high uptime. Organizations in sectors such as finance, healthcare, and public administration, which often use Linux-based servers and storage solutions, may experience operational disruptions if unpatched.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the fix for CVE-2022-48664 as soon as they become available from trusted distributors or the Linux kernel mainline. 2. Monitor and limit heavy metadata operations on Btrfs filesystems, especially those involving numerous small files or aggressive space reclaiming, to reduce the likelihood of triggering the hang. 3. Avoid running unmount operations during peak load or metadata-intensive tasks. 4. Implement system monitoring to detect hung tasks related to unmount operations and automate alerts for early intervention. 5. Consider using alternative stable filesystems for critical workloads where unmount hangs would cause unacceptable disruption until patches are applied. 6. For environments using automated testing tools like fstests, isolate such tests to non-production systems to prevent unintended hangs. 7. Engage with Linux vendor support channels for backported patches or workarounds if immediate kernel upgrades are not feasible.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2022-48664: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when stopping a space reclaim worker Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this: Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: <TASK> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel: </TASK> What happens is the following: 1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work); 2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48664 is a vulnerability in the Linux kernel's Btrfs filesystem implementation that causes a system hang during unmount operations. The issue arises when the Btrfs space reclaim worker thread attempts to delete an unused block group but cannot immediately satisfy the required metadata reservation. This triggers the creation of a reservation ticket and starts an asynchronous metadata reclaim task. Concurrently, writeback operations for numerous small (2KB) filler inodes attempt to create inline extents but fail due to lack of space (-ENOSPC). The fallback to non-inline extents and subsequent extent reservations exacerbate the contention. This leads to a deadlock scenario where the unmount process is blocked indefinitely, as the kernel waits on workqueue flushes and transaction completions that cannot proceed due to resource contention. The kernel logs show the umount task blocked for over 120 seconds with a stack trace indicating waits on scheduling and workqueue flushing functions. This vulnerability affects Linux kernel versions containing the specified commits and manifests primarily during heavy metadata operations on Btrfs filesystems, such as those simulated by fstests generic/562. Although it does not lead to code execution or data corruption directly, the hang can cause denial of service (DoS) by making the filesystem unresponsive during unmount, potentially impacting system stability and availability. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability can lead to system hangs during unmount operations, causing denial of service conditions. This is particularly critical for environments with high filesystem metadata activity or automated testing scenarios that stress Btrfs, such as data centers, cloud providers, and enterprises using Btrfs for storage management. The inability to unmount filesystems cleanly can disrupt maintenance, backups, and system updates, potentially leading to downtime. In multi-tenant or virtualized environments, this could affect multiple users or services simultaneously. While it does not appear to compromise confidentiality or integrity, the availability impact can be significant, especially for critical infrastructure or services requiring high uptime. Organizations in sectors such as finance, healthcare, and public administration, which often use Linux-based servers and storage solutions, may experience operational disruptions if unpatched.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the fix for CVE-2022-48664 as soon as they become available from trusted distributors or the Linux kernel mainline. 2. Monitor and limit heavy metadata operations on Btrfs filesystems, especially those involving numerous small files or aggressive space reclaiming, to reduce the likelihood of triggering the hang. 3. Avoid running unmount operations during peak load or metadata-intensive tasks. 4. Implement system monitoring to detect hung tasks related to unmount operations and automate alerts for early intervention. 5. Consider using alternative stable filesystems for critical workloads where unmount hangs would cause unacceptable disruption until patches are applied. 6. For environments using automated testing tools like fstests, isolate such tests to non-production systems to prevent unintended hangs. 7. Engage with Linux vendor support channels for backported patches or workarounds if immediate kernel upgrades are not feasible.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:44:28.320Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd4d3
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:55:22 PM
Last updated: 7/29/2025, 5:24:43 AM
Views: 10
Related Threats
CVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.