CVE-2022-48920: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in ---truncated---
AI Analysis
Technical Summary
CVE-2022-48920 addresses a vulnerability in the Linux kernel specifically related to the Btrfs filesystem when mounted with the flushoncommit option. The issue arises from the kernel triggering frequent warnings during transaction commits due to improper locking of the sb->s_umount semaphore in the __writeback_inodes_sb_nr() function. This warning is caused by the kernel calling writeback_inodes_sb() to flush delayed allocation (delalloc) pages during transaction commits, which requires the sb->s_umount semaphore to be locked. However, the semaphore is not locked in this context, leading to WARN_ON triggers that flood the system logs (dmesg/syslog) and cause confusion about filesystem reliability. The root cause stems from a change in the kernel where writeback_inodes_sb() was introduced in flushoncommit to avoid deadlocks with filesystem freeze operations. Simply locking sb->s_umount before calling writeback_inodes_sb() is not viable as it would cause deadlocks with freeze and unmount operations. The fix implemented replaces the direct call to writeback_inodes_sb() with try_to_writeback_inodes_sb(), which attempts to acquire a read lock on sb->s_umount and only proceeds if successful. This approach prevents warnings and avoids deadlocks by ensuring writeback is only triggered when safe. This vulnerability does not appear to cause data corruption or direct security compromise but results in excessive kernel warnings that may obscure other critical messages and cause operational confusion. No known exploits are reported in the wild, and the issue primarily affects Linux kernel versions using Btrfs with flushoncommit enabled. The vulnerability is technical and subtle, involving kernel synchronization and filesystem transaction handling.
Potential Impact
For European organizations, the impact of CVE-2022-48920 is mainly operational rather than directly security-critical. Organizations using Linux systems with Btrfs filesystems mounted with flushoncommit may experience excessive kernel warnings flooding system logs, which can obscure detection of other important events and complicate system monitoring and troubleshooting. This could lead to delayed incident response or misinterpretation of system health. While no direct data loss or corruption is indicated, the warnings may cause administrators to question filesystem stability, potentially leading to unnecessary downtime or maintenance actions. In environments with high compliance or audit requirements, log spamming could interfere with log retention policies or automated alerting systems. Since Btrfs is often used in enterprise storage, cloud infrastructure, and container environments, organizations relying on these may face operational disruptions. However, the lack of known exploits and the nature of the issue as a warning rather than a crash or data corruption reduces the immediate security risk. Still, the presence of this vulnerability could be leveraged by attackers to create noise or cover other malicious activities if combined with other exploits. Overall, the impact is medium in operational disruption and low in direct security compromise.
Mitigation Recommendations
To mitigate CVE-2022-48920, European organizations should: 1) Apply the latest Linux kernel patches that include the fix replacing writeback_inodes_sb() calls with try_to_writeback_inodes_sb() to prevent warning spam and potential deadlocks. 2) Review and update system monitoring and log management configurations to filter or alert appropriately on these warnings until patches are applied, preventing log flooding from masking other events. 3) Evaluate the necessity of the flushoncommit mount option in Btrfs deployments; if not critical, consider disabling it to avoid triggering the issue. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility with existing Btrfs configurations. 5) Educate system administrators about the nature of these warnings to reduce confusion and prevent unnecessary panic or misdiagnosis. 6) Implement enhanced monitoring to detect unusual filesystem or kernel behavior that might indicate exploitation attempts or other issues masked by the warning noise. 7) Maintain up-to-date inventories of Linux kernel versions and filesystem configurations across infrastructure to prioritize patching efforts. These steps go beyond generic advice by focusing on operational practices, configuration review, and targeted patch application specific to the Btrfs flushoncommit context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-48920: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-48920 addresses a vulnerability in the Linux kernel specifically related to the Btrfs filesystem when mounted with the flushoncommit option. The issue arises from the kernel triggering frequent warnings during transaction commits due to improper locking of the sb->s_umount semaphore in the __writeback_inodes_sb_nr() function. This warning is caused by the kernel calling writeback_inodes_sb() to flush delayed allocation (delalloc) pages during transaction commits, which requires the sb->s_umount semaphore to be locked. However, the semaphore is not locked in this context, leading to WARN_ON triggers that flood the system logs (dmesg/syslog) and cause confusion about filesystem reliability. The root cause stems from a change in the kernel where writeback_inodes_sb() was introduced in flushoncommit to avoid deadlocks with filesystem freeze operations. Simply locking sb->s_umount before calling writeback_inodes_sb() is not viable as it would cause deadlocks with freeze and unmount operations. The fix implemented replaces the direct call to writeback_inodes_sb() with try_to_writeback_inodes_sb(), which attempts to acquire a read lock on sb->s_umount and only proceeds if successful. This approach prevents warnings and avoids deadlocks by ensuring writeback is only triggered when safe. This vulnerability does not appear to cause data corruption or direct security compromise but results in excessive kernel warnings that may obscure other critical messages and cause operational confusion. No known exploits are reported in the wild, and the issue primarily affects Linux kernel versions using Btrfs with flushoncommit enabled. The vulnerability is technical and subtle, involving kernel synchronization and filesystem transaction handling.
Potential Impact
For European organizations, the impact of CVE-2022-48920 is mainly operational rather than directly security-critical. Organizations using Linux systems with Btrfs filesystems mounted with flushoncommit may experience excessive kernel warnings flooding system logs, which can obscure detection of other important events and complicate system monitoring and troubleshooting. This could lead to delayed incident response or misinterpretation of system health. While no direct data loss or corruption is indicated, the warnings may cause administrators to question filesystem stability, potentially leading to unnecessary downtime or maintenance actions. In environments with high compliance or audit requirements, log spamming could interfere with log retention policies or automated alerting systems. Since Btrfs is often used in enterprise storage, cloud infrastructure, and container environments, organizations relying on these may face operational disruptions. However, the lack of known exploits and the nature of the issue as a warning rather than a crash or data corruption reduces the immediate security risk. Still, the presence of this vulnerability could be leveraged by attackers to create noise or cover other malicious activities if combined with other exploits. Overall, the impact is medium in operational disruption and low in direct security compromise.
Mitigation Recommendations
To mitigate CVE-2022-48920, European organizations should: 1) Apply the latest Linux kernel patches that include the fix replacing writeback_inodes_sb() calls with try_to_writeback_inodes_sb() to prevent warning spam and potential deadlocks. 2) Review and update system monitoring and log management configurations to filter or alert appropriately on these warnings until patches are applied, preventing log flooding from masking other events. 3) Evaluate the necessity of the flushoncommit mount option in Btrfs deployments; if not critical, consider disabling it to avoid triggering the issue. 4) Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility with existing Btrfs configurations. 5) Educate system administrators about the nature of these warnings to reduce confusion and prevent unnecessary panic or misdiagnosis. 6) Implement enhanced monitoring to detect unusual filesystem or kernel behavior that might indicate exploitation attempts or other issues masked by the warning noise. 7) Maintain up-to-date inventories of Linux kernel versions and filesystem configurations across infrastructure to prioritize patching efforts. These steps go beyond generic advice by focusing on operational practices, configuration review, and targeted patch application specific to the Btrfs flushoncommit context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:06:23.295Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe65e1
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 6/30/2025, 11:42:29 PM
Last updated: 8/16/2025, 4:05:59 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.