CVE-2022-48901: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not start relocation until in progress drops are done We hit a bug with a recovering relocation on mount for one of our file systems in production. I reproduced this locally by injecting errors into snapshot delete with balance running at the same time. This presented as an error while looking up an extent item WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: <TASK> insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex. However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot. Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot. Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key. If they do then we know we were in the middle of the drop operation and set a flag on the fs_info. Then balance can wait until this flag is cleared to start up again. If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex.
AI Analysis
Technical Summary
CVE-2022-48901 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of snapshot deletion and relocation operations. Btrfs uses a mechanism called 'balance' to redistribute data across block groups, and snapshot deletion involves removing snapshots of the filesystem. Normally, these operations are serialized using a mutex (fs_info->cleaner_mutex) to prevent concurrent execution that could lead to inconsistent filesystem states. However, this vulnerability arises when a system crash occurs during a snapshot deletion operation that is pending or partially completed. In such a scenario, the system may reboot with a 'half deleted' snapshot state. The problem is that the relocation process (balance) can start before the snapshot deletion fully completes because the root of the snapshot is added to a dead roots list and cleaned up asynchronously later. This premature start of relocation can cause the filesystem to access invalid or inconsistent extent references, leading to kernel warnings and potentially filesystem corruption or crashes. The fix involves setting a flag on the filesystem info structure (fs_info) to indicate the presence of dead roots with pending drop progress. The balance operation then waits for this flag to clear before proceeding, ensuring that snapshot deletions complete fully before relocation begins. This prevents the race condition and inconsistent state that caused the vulnerability. The vulnerability was identified through reproduction of errors by injecting faults during concurrent snapshot deletion and balance operations, and it affects Linux kernel versions around 5.16.0-rc8+ and likely others using the affected Btrfs code paths. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of filesystem instability, data corruption, or system crashes, particularly in environments where snapshot deletion and balance operations are frequent or automated. This can affect data integrity and availability, especially in production servers, storage appliances, or cloud infrastructure using Btrfs for data management. The impact is more pronounced in systems that experience unexpected reboots or crashes during filesystem maintenance tasks. While the vulnerability does not directly lead to remote code execution or privilege escalation, the resulting filesystem corruption or kernel panics can cause denial of service and potential data loss. Organizations with critical data stored on Btrfs volumes, such as financial institutions, research centers, or public sector entities, may face operational disruptions. Recovery from corrupted filesystems can be complex and time-consuming, increasing downtime and operational costs. Given the widespread use of Linux in European data centers and cloud environments, the vulnerability could affect a broad range of sectors if unpatched.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2022-48901 as soon as they become available from their Linux distribution vendors. 2) Avoid running concurrent snapshot deletion and balance operations on Btrfs filesystems, especially on production systems, until patches are applied. 3) Implement robust monitoring and alerting for filesystem errors or kernel warnings related to Btrfs operations to detect early signs of this issue. 4) Schedule maintenance windows to perform snapshot deletions and balance operations sequentially and ensure system stability during these operations. 5) Regularly back up critical data stored on Btrfs volumes to enable recovery in case of corruption. 6) Test recovery procedures for Btrfs filesystem corruption scenarios to minimize downtime. 7) For systems with high availability requirements, consider using alternative filesystems or storage solutions until patched. These steps go beyond generic advice by focusing on operational practices around Btrfs maintenance and proactive monitoring to reduce risk exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Norway
CVE-2022-48901: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not start relocation until in progress drops are done We hit a bug with a recovering relocation on mount for one of our file systems in production. I reproduced this locally by injecting errors into snapshot delete with balance running at the same time. This presented as an error while looking up an extent item WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: <TASK> insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex. However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot. Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot. Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key. If they do then we know we were in the middle of the drop operation and set a flag on the fs_info. Then balance can wait until this flag is cleared to start up again. If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex.
AI-Powered Analysis
Technical Analysis
CVE-2022-48901 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of snapshot deletion and relocation operations. Btrfs uses a mechanism called 'balance' to redistribute data across block groups, and snapshot deletion involves removing snapshots of the filesystem. Normally, these operations are serialized using a mutex (fs_info->cleaner_mutex) to prevent concurrent execution that could lead to inconsistent filesystem states. However, this vulnerability arises when a system crash occurs during a snapshot deletion operation that is pending or partially completed. In such a scenario, the system may reboot with a 'half deleted' snapshot state. The problem is that the relocation process (balance) can start before the snapshot deletion fully completes because the root of the snapshot is added to a dead roots list and cleaned up asynchronously later. This premature start of relocation can cause the filesystem to access invalid or inconsistent extent references, leading to kernel warnings and potentially filesystem corruption or crashes. The fix involves setting a flag on the filesystem info structure (fs_info) to indicate the presence of dead roots with pending drop progress. The balance operation then waits for this flag to clear before proceeding, ensuring that snapshot deletions complete fully before relocation begins. This prevents the race condition and inconsistent state that caused the vulnerability. The vulnerability was identified through reproduction of errors by injecting faults during concurrent snapshot deletion and balance operations, and it affects Linux kernel versions around 5.16.0-rc8+ and likely others using the affected Btrfs code paths. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of filesystem instability, data corruption, or system crashes, particularly in environments where snapshot deletion and balance operations are frequent or automated. This can affect data integrity and availability, especially in production servers, storage appliances, or cloud infrastructure using Btrfs for data management. The impact is more pronounced in systems that experience unexpected reboots or crashes during filesystem maintenance tasks. While the vulnerability does not directly lead to remote code execution or privilege escalation, the resulting filesystem corruption or kernel panics can cause denial of service and potential data loss. Organizations with critical data stored on Btrfs volumes, such as financial institutions, research centers, or public sector entities, may face operational disruptions. Recovery from corrupted filesystems can be complex and time-consuming, increasing downtime and operational costs. Given the widespread use of Linux in European data centers and cloud environments, the vulnerability could affect a broad range of sectors if unpatched.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2022-48901 as soon as they become available from their Linux distribution vendors. 2) Avoid running concurrent snapshot deletion and balance operations on Btrfs filesystems, especially on production systems, until patches are applied. 3) Implement robust monitoring and alerting for filesystem errors or kernel warnings related to Btrfs operations to detect early signs of this issue. 4) Schedule maintenance windows to perform snapshot deletions and balance operations sequentially and ensure system stability during these operations. 5) Regularly back up critical data stored on Btrfs volumes to enable recovery in case of corruption. 6) Test recovery procedures for Btrfs filesystem corruption scenarios to minimize downtime. 7) For systems with high availability requirements, consider using alternative filesystems or storage solutions until patched. These steps go beyond generic advice by focusing on operational practices around Btrfs maintenance and proactive monitoring to reduce risk exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.291Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe654e
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:27:33 PM
Last updated: 8/6/2025, 2:25:00 AM
Views: 12
Related Threats
CVE-2025-8829: OS Command Injection in Linksys RE6250
MediumCVE-2025-8828: OS Command Injection in Linksys RE6250
MediumCVE-2025-8827: OS Command Injection in Linksys RE6250
MediumCVE-2025-8826: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8825: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.