CVE-2022-49702: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when block group reclaim task is running When we start an unmount, at close_ctree(), if we have the reclaim task running and in the middle of a data block group relocation, we can trigger a deadlock when stopping an async reclaim task, producing a trace like the following: [629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000 [629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs] [629724.501267] Call Trace: [629724.501759] <TASK> [629724.502174] __schedule+0x3cb/0xed0 [629724.502842] schedule+0x4e/0xb0 [629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs] [629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0 [629724.505442] flush_space+0x423/0x630 [btrfs] [629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50 [629724.507259] ? lock_release+0x220/0x4a0 [629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs] [629724.508940] ? do_raw_spin_unlock+0x4b/0xa0 [629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs] [629724.510922] process_one_work+0x252/0x5a0 [629724.511694] ? process_one_work+0x5a0/0x5a0 [629724.512508] worker_thread+0x52/0x3b0 [629724.513220] ? process_one_work+0x5a0/0x5a0 [629724.514021] kthread+0xf2/0x120 [629724.514627] ? kthread_complete_and_exit+0x20/0x20 [629724.515526] ret_from_fork+0x22/0x30 [629724.516236] </TASK> [629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000 [629724.518269] Call Trace: [629724.518746] <TASK> [629724.519160] __schedule+0x3cb/0xed0 [629724.519835] schedule+0x4e/0xb0 [629724.520467] schedule_timeout+0xed/0x130 [629724.521221] ? lock_release+0x220/0x4a0 [629724.521946] ? lock_acquired+0x19c/0x420 [629724.522662] ? trace_hardirqs_on+0x1b/0xe0 [629724.523411] __wait_for_common+0xaf/0x1f0 [629724.524189] ? usleep_range_state+0xb0/0xb0 [629724.524997] __flush_work+0x26d/0x530 [629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140 [629724.526580] ? lock_acquire+0x1a0/0x310 [629724.527324] __cancel_work_timer+0x137/0x1c0 [629724.528190] close_ctree+0xfd/0x531 [btrfs] [629724.529000] ? evict_inodes+0x166/0x1c0 [629724.529510] generic_shutdown_super+0x74/0x120 [629724.530103] kill_anon_super+0x14/0x30 [629724.530611] btrfs_kill_super+0x12/0x20 [btrfs] [629724.531246] deactivate_locked_super+0x31/0xa0 [629724.531817] cleanup_mnt+0x147/0x1c0 [629724.532319] task_work_run+0x5c/0xa0 [629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0 [629724.533598] syscall_exit_to_user_mode+0x16/0x40 [629724.534200] do_syscall_64+0x48/0x90 [629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae [629724.535318] RIP: 0033:0x7fa2b90437a7 [629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7 [629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0 [629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200 [629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000 [629724.541796] </TASK> This happens because: 1) Before entering close_ctree() we have the async block group reclaim task running and relocating a data block group; 2) There's an async metadata (or data) space reclaim task running; 3) We enter close_ctree() and park the cleaner kthread; 4) The async space reclaim task is at flush_space() and runs all the existing delayed iputs; 5) Before the async space reclaim task calls btrfs_wait_on_delayed_iputs(), the block group reclaim task which is doing the data block group relocation, creates a delayed iput at replace_file_extents() (called when COWing leaves that have file extent items pointing to relocated data exten ---truncated---
AI Analysis
Technical Summary
CVE-2022-49702 is a vulnerability in the Linux kernel's Btrfs filesystem implementation that can cause a system hang (deadlock) during the unmount operation. The issue arises specifically when the block group reclaim task is running asynchronously and relocating data block groups while an unmount is initiated. The deadlock occurs in the close_ctree() function, which is responsible for closing the Btrfs filesystem tree during unmount. The root cause is a complex interaction between asynchronous reclaim tasks and delayed inode puts (iputs) that leads to circular waits and a kernel task stuck in an uninterruptible sleep state. The kernel stack traces show that the reclaim task and the unmount task both enter scheduling states waiting on each other, causing the system to hang. This vulnerability does not lead to data corruption or privilege escalation but results in a denial of service (DoS) condition by hanging the system or the affected filesystem mount point. The vulnerability affects Linux kernel versions containing the vulnerable Btrfs code prior to the patch that fixes the deadlock by properly synchronizing the reclaim tasks and inode cleanup during unmount. Exploitation requires triggering an unmount while the block group reclaim task is actively relocating data, which is a specific but plausible scenario on systems using Btrfs with heavy filesystem activity. There are no known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and specific to the Btrfs filesystem's internal asynchronous reclaim mechanisms.
Potential Impact
For European organizations, the primary impact of CVE-2022-49702 is a potential denial of service caused by system hangs during unmount operations on Btrfs filesystems. Organizations using Linux servers with Btrfs for storage, especially in data centers, cloud infrastructure, or critical systems, may experience service interruptions or require system reboots to recover from the hang. This can affect availability of services relying on these filesystems, impacting business continuity. While the vulnerability does not allow data breaches or privilege escalation, the disruption of operations can be significant for environments with high uptime requirements. Given the increasing adoption of Btrfs in some Linux distributions and enterprise environments, the risk is non-negligible. Systems performing frequent unmounts or heavy block group reclaim operations are at higher risk. The vulnerability may also affect embedded Linux devices or network appliances using Btrfs, potentially disrupting critical infrastructure. However, the impact is limited to denial of service rather than data integrity or confidentiality compromise.
Mitigation Recommendations
To mitigate CVE-2022-49702, European organizations should: 1) Apply the official Linux kernel patches that fix the deadlock in the Btrfs reclaim and unmount code as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) Avoid unmounting Btrfs filesystems during heavy block group reclaim or data relocation operations, which can be monitored via system logs or Btrfs debug tools. 3) Monitor system logs for signs of reclaim tasks running and plan maintenance windows accordingly to minimize unmount operations under load. 4) Consider using alternative stable filesystems if unmount hangs pose unacceptable risks in critical environments until patches are applied. 5) Implement robust system monitoring and automated recovery mechanisms to detect and recover from hung kernel tasks or unresponsive filesystems. 6) Test kernel updates in staging environments to ensure stability before production deployment. 7) Educate system administrators about the specific conditions triggering the deadlock to avoid inadvertent triggering during maintenance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2022-49702: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when block group reclaim task is running When we start an unmount, at close_ctree(), if we have the reclaim task running and in the middle of a data block group relocation, we can trigger a deadlock when stopping an async reclaim task, producing a trace like the following: [629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000 [629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs] [629724.501267] Call Trace: [629724.501759] <TASK> [629724.502174] __schedule+0x3cb/0xed0 [629724.502842] schedule+0x4e/0xb0 [629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs] [629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0 [629724.505442] flush_space+0x423/0x630 [btrfs] [629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50 [629724.507259] ? lock_release+0x220/0x4a0 [629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs] [629724.508940] ? do_raw_spin_unlock+0x4b/0xa0 [629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs] [629724.510922] process_one_work+0x252/0x5a0 [629724.511694] ? process_one_work+0x5a0/0x5a0 [629724.512508] worker_thread+0x52/0x3b0 [629724.513220] ? process_one_work+0x5a0/0x5a0 [629724.514021] kthread+0xf2/0x120 [629724.514627] ? kthread_complete_and_exit+0x20/0x20 [629724.515526] ret_from_fork+0x22/0x30 [629724.516236] </TASK> [629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000 [629724.518269] Call Trace: [629724.518746] <TASK> [629724.519160] __schedule+0x3cb/0xed0 [629724.519835] schedule+0x4e/0xb0 [629724.520467] schedule_timeout+0xed/0x130 [629724.521221] ? lock_release+0x220/0x4a0 [629724.521946] ? lock_acquired+0x19c/0x420 [629724.522662] ? trace_hardirqs_on+0x1b/0xe0 [629724.523411] __wait_for_common+0xaf/0x1f0 [629724.524189] ? usleep_range_state+0xb0/0xb0 [629724.524997] __flush_work+0x26d/0x530 [629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140 [629724.526580] ? lock_acquire+0x1a0/0x310 [629724.527324] __cancel_work_timer+0x137/0x1c0 [629724.528190] close_ctree+0xfd/0x531 [btrfs] [629724.529000] ? evict_inodes+0x166/0x1c0 [629724.529510] generic_shutdown_super+0x74/0x120 [629724.530103] kill_anon_super+0x14/0x30 [629724.530611] btrfs_kill_super+0x12/0x20 [btrfs] [629724.531246] deactivate_locked_super+0x31/0xa0 [629724.531817] cleanup_mnt+0x147/0x1c0 [629724.532319] task_work_run+0x5c/0xa0 [629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0 [629724.533598] syscall_exit_to_user_mode+0x16/0x40 [629724.534200] do_syscall_64+0x48/0x90 [629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae [629724.535318] RIP: 0033:0x7fa2b90437a7 [629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7 [629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0 [629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200 [629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000 [629724.541796] </TASK> This happens because: 1) Before entering close_ctree() we have the async block group reclaim task running and relocating a data block group; 2) There's an async metadata (or data) space reclaim task running; 3) We enter close_ctree() and park the cleaner kthread; 4) The async space reclaim task is at flush_space() and runs all the existing delayed iputs; 5) Before the async space reclaim task calls btrfs_wait_on_delayed_iputs(), the block group reclaim task which is doing the data block group relocation, creates a delayed iput at replace_file_extents() (called when COWing leaves that have file extent items pointing to relocated data exten ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49702 is a vulnerability in the Linux kernel's Btrfs filesystem implementation that can cause a system hang (deadlock) during the unmount operation. The issue arises specifically when the block group reclaim task is running asynchronously and relocating data block groups while an unmount is initiated. The deadlock occurs in the close_ctree() function, which is responsible for closing the Btrfs filesystem tree during unmount. The root cause is a complex interaction between asynchronous reclaim tasks and delayed inode puts (iputs) that leads to circular waits and a kernel task stuck in an uninterruptible sleep state. The kernel stack traces show that the reclaim task and the unmount task both enter scheduling states waiting on each other, causing the system to hang. This vulnerability does not lead to data corruption or privilege escalation but results in a denial of service (DoS) condition by hanging the system or the affected filesystem mount point. The vulnerability affects Linux kernel versions containing the vulnerable Btrfs code prior to the patch that fixes the deadlock by properly synchronizing the reclaim tasks and inode cleanup during unmount. Exploitation requires triggering an unmount while the block group reclaim task is actively relocating data, which is a specific but plausible scenario on systems using Btrfs with heavy filesystem activity. There are no known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and specific to the Btrfs filesystem's internal asynchronous reclaim mechanisms.
Potential Impact
For European organizations, the primary impact of CVE-2022-49702 is a potential denial of service caused by system hangs during unmount operations on Btrfs filesystems. Organizations using Linux servers with Btrfs for storage, especially in data centers, cloud infrastructure, or critical systems, may experience service interruptions or require system reboots to recover from the hang. This can affect availability of services relying on these filesystems, impacting business continuity. While the vulnerability does not allow data breaches or privilege escalation, the disruption of operations can be significant for environments with high uptime requirements. Given the increasing adoption of Btrfs in some Linux distributions and enterprise environments, the risk is non-negligible. Systems performing frequent unmounts or heavy block group reclaim operations are at higher risk. The vulnerability may also affect embedded Linux devices or network appliances using Btrfs, potentially disrupting critical infrastructure. However, the impact is limited to denial of service rather than data integrity or confidentiality compromise.
Mitigation Recommendations
To mitigate CVE-2022-49702, European organizations should: 1) Apply the official Linux kernel patches that fix the deadlock in the Btrfs reclaim and unmount code as soon as they become available from their Linux distribution vendors or kernel maintainers. 2) Avoid unmounting Btrfs filesystems during heavy block group reclaim or data relocation operations, which can be monitored via system logs or Btrfs debug tools. 3) Monitor system logs for signs of reclaim tasks running and plan maintenance windows accordingly to minimize unmount operations under load. 4) Consider using alternative stable filesystems if unmount hangs pose unacceptable risks in critical environments until patches are applied. 5) Implement robust system monitoring and automated recovery mechanisms to detect and recover from hung kernel tasks or unresponsive filesystems. 6) Test kernel updates in staging environments to ensure stability before production deployment. 7) Educate system administrators about the specific conditions triggering the deadlock to avoid inadvertent triggering during maintenance.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:21:30.443Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe48b2
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 12:25:16 AM
Last updated: 8/11/2025, 9:08:59 PM
Views: 14
Related Threats
CVE-2025-9137: Cross Site Scripting in Scada-LTS
MediumCVE-2025-9136: Out-of-Bounds Read in libretro RetroArch
MediumCVE-2025-9135: Improper Export of Android Application Components in Verkehrsauskunft Österreich SmartRide
MediumCVE-2025-8783: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kleor Contact Manager
MediumCVE-2025-8567: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in posimyththemes Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.