CVE-2022-48734: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. In this transaction start, task C waits for completion of the transaction that task A started and task B committed. This deadlock was found with fstests test case btrfs/115 and a zoned null_blk device. The test case enables and disables quota, and the block group reclaim was triggered during the quota disable by chance. The deadlock was also observed by running quota enable and disable in parallel with 'btrfs balance' command on regular null_blk devices. An example report of the deadlock: [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] <TASK> [372.521684] __schedule+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ? do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90 [372.676172] ? process_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] </TASK> [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not tainted 5.16.0-rc8 #7 [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 [372.787776] Call Trace: [372.801652] <TASK> [372.812961] __schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270 [372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ? finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7 ---truncated---
AI Analysis
Technical Summary
CVE-2022-48734 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to a deadlock condition triggered by interactions between quota disable ioctl operations and the qgroup rescan worker. The issue arises because the quota disable ioctl initiates a transaction and waits for the qgroup rescan worker to complete. However, due to a circular dependency involving the quota disable ioctl, the qgroup rescan worker, and other tasks such as block group relocation, the wait can become infinite, causing a deadlock. Specifically, Task A disables quota and waits for the qgroup rescan worker (Task C) to finish. Task B, such as a block group relocation task, joins Task A's transaction and waits for Task A to commit. Meanwhile, Task C waits for the completion of the transaction started by Task A and committed by Task B. This circular wait results in a deadlock, effectively halting progress of these kernel tasks. The deadlock was discovered using the fstests test case btrfs/115 on zoned null_blk devices and was also reproducible when enabling and disabling quota in parallel with the 'btrfs balance' command on regular null_blk devices. The deadlock manifests as kernel worker threads being blocked for extended periods (over 120 seconds), as shown in kernel logs. This vulnerability does not appear to have known exploits in the wild yet and affects specific Linux kernel versions identified by commit hashes. The root cause is a design flaw in transaction management and synchronization between quota operations and block group relocation within Btrfs. No CVSS score is assigned yet, and no patch links are provided in the data, but the issue is publicly disclosed and classified as a vulnerability.
Potential Impact
For European organizations, this vulnerability can lead to system instability and denial of service conditions on Linux servers using the Btrfs filesystem with quota management enabled. The deadlock causes kernel worker threads to hang indefinitely, potentially freezing filesystem operations and impacting availability of critical services. Organizations relying on Btrfs for storage, especially those using quota features and performing balance or block group relocation operations, may experience unexpected system hangs or degraded performance. This can disrupt business operations, data processing, and service delivery. The impact is primarily on availability and system reliability rather than confidentiality or integrity. Since Linux is widely used in European data centers, cloud infrastructure, and enterprise environments, the risk is significant where affected kernel versions and Btrfs configurations are deployed. However, exploitation requires specific conditions involving quota disable operations and concurrent block group relocations, so the attack surface is somewhat limited. There is no indication of remote exploitation or privilege escalation, so the threat is mostly operational disruption rather than a direct security breach. Nonetheless, critical infrastructure and service providers using affected Linux kernels should prioritize mitigation to avoid downtime.
Mitigation Recommendations
1. Upgrade the Linux kernel to a version where this deadlock issue is resolved. Monitor official Linux kernel repositories and distributions for patches addressing CVE-2022-48734. 2. Temporarily avoid performing quota disable operations concurrently with block group relocation tasks or 'btrfs balance' commands to reduce the risk of triggering the deadlock. 3. Monitor system logs for signs of hung tasks or kernel worker threads blocked for extended periods, especially related to btrfs-qgroup-rescan and btrfs-transacti processes. 4. Implement proactive system monitoring and alerting for kernel hung task warnings to detect early signs of this deadlock. 5. If upgrading is not immediately possible, consider disabling quota features on Btrfs volumes where feasible to prevent triggering the vulnerable code paths. 6. Test Btrfs operations in staging environments before applying changes in production to identify potential deadlock conditions. 7. Engage with Linux distribution vendors for backported fixes or guidance specific to your environment. 8. Maintain regular backups and disaster recovery plans to mitigate impact of potential system hangs or crashes caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-48734: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. In this transaction start, task C waits for completion of the transaction that task A started and task B committed. This deadlock was found with fstests test case btrfs/115 and a zoned null_blk device. The test case enables and disables quota, and the block group reclaim was triggered during the quota disable by chance. The deadlock was also observed by running quota enable and disable in parallel with 'btrfs balance' command on regular null_blk devices. An example report of the deadlock: [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] <TASK> [372.521684] __schedule+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ? do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90 [372.676172] ? process_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] </TASK> [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not tainted 5.16.0-rc8 #7 [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 [372.787776] Call Trace: [372.801652] <TASK> [372.812961] __schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270 [372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ? finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48734 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to a deadlock condition triggered by interactions between quota disable ioctl operations and the qgroup rescan worker. The issue arises because the quota disable ioctl initiates a transaction and waits for the qgroup rescan worker to complete. However, due to a circular dependency involving the quota disable ioctl, the qgroup rescan worker, and other tasks such as block group relocation, the wait can become infinite, causing a deadlock. Specifically, Task A disables quota and waits for the qgroup rescan worker (Task C) to finish. Task B, such as a block group relocation task, joins Task A's transaction and waits for Task A to commit. Meanwhile, Task C waits for the completion of the transaction started by Task A and committed by Task B. This circular wait results in a deadlock, effectively halting progress of these kernel tasks. The deadlock was discovered using the fstests test case btrfs/115 on zoned null_blk devices and was also reproducible when enabling and disabling quota in parallel with the 'btrfs balance' command on regular null_blk devices. The deadlock manifests as kernel worker threads being blocked for extended periods (over 120 seconds), as shown in kernel logs. This vulnerability does not appear to have known exploits in the wild yet and affects specific Linux kernel versions identified by commit hashes. The root cause is a design flaw in transaction management and synchronization between quota operations and block group relocation within Btrfs. No CVSS score is assigned yet, and no patch links are provided in the data, but the issue is publicly disclosed and classified as a vulnerability.
Potential Impact
For European organizations, this vulnerability can lead to system instability and denial of service conditions on Linux servers using the Btrfs filesystem with quota management enabled. The deadlock causes kernel worker threads to hang indefinitely, potentially freezing filesystem operations and impacting availability of critical services. Organizations relying on Btrfs for storage, especially those using quota features and performing balance or block group relocation operations, may experience unexpected system hangs or degraded performance. This can disrupt business operations, data processing, and service delivery. The impact is primarily on availability and system reliability rather than confidentiality or integrity. Since Linux is widely used in European data centers, cloud infrastructure, and enterprise environments, the risk is significant where affected kernel versions and Btrfs configurations are deployed. However, exploitation requires specific conditions involving quota disable operations and concurrent block group relocations, so the attack surface is somewhat limited. There is no indication of remote exploitation or privilege escalation, so the threat is mostly operational disruption rather than a direct security breach. Nonetheless, critical infrastructure and service providers using affected Linux kernels should prioritize mitigation to avoid downtime.
Mitigation Recommendations
1. Upgrade the Linux kernel to a version where this deadlock issue is resolved. Monitor official Linux kernel repositories and distributions for patches addressing CVE-2022-48734. 2. Temporarily avoid performing quota disable operations concurrently with block group relocation tasks or 'btrfs balance' commands to reduce the risk of triggering the deadlock. 3. Monitor system logs for signs of hung tasks or kernel worker threads blocked for extended periods, especially related to btrfs-qgroup-rescan and btrfs-transacti processes. 4. Implement proactive system monitoring and alerting for kernel hung task warnings to detect early signs of this deadlock. 5. If upgrading is not immediately possible, consider disabling quota features on Btrfs volumes where feasible to prevent triggering the vulnerable code paths. 6. Test Btrfs operations in staging environments before applying changes in production to identify potential deadlock conditions. 7. Engage with Linux distribution vendors for backported fixes or guidance specific to your environment. 8. Maintain regular backups and disaster recovery plans to mitigate impact of potential system hangs or crashes caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.053Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5ffc
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 7:57:44 PM
Last updated: 8/12/2025, 6:14:00 AM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.