CVE-2022-49761

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: always report error in run_one_delayed_ref()

Currently we have a btrfs_debug() for run_one_delayed_ref() failure, but if end users hit such problem, there will be no chance that btrfs_debug() is enabled. This can lead to very little useful info for debugging.

This patch will:

  • Add extra info for error reporting Including:

    • logical bytenr
    • num_bytes
    • type
    • action
    • ref_mod
  • Replace the btrfs_debug() with btrfs_err()

  • Move the error reporting into run_one_delayed_ref() This is to avoid use-after-free, the @node can be freed in the caller.

This error should only be triggered at most once.

As if run_one_delayed_ref() failed, we trigger the error message, then causing the call chain to error out:

btrfs_run_delayed_refs() - btrfs_run_delayed_refs() - btrfs_run_delayed_refs_for_head() `- run_one_delayed_ref()

And we will abort the current transaction in btrfs_run_delayed_refs(). If we have to run delayed refs for the abort transaction, run_one_delayed_ref() will just cleanup the refs and do nothing, thus no new error messages would be output.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux79787eaab46121d4713ed03c8fc63b9ec3eaec76 < 18bd1c9c02e64a3567f90c83c2c8b855531c8098affected
LinuxLinux79787eaab46121d4713ed03c8fc63b9ec3eaec76 < fdb4a70bb768d2a87890409597529ad81cb3de8aaffected
LinuxLinux79787eaab46121d4713ed03c8fc63b9ec3eaec76 < 853ffa1511b058c79a4c9bb1407b3b20ce311792affected
LinuxLinux79787eaab46121d4713ed03c8fc63b9ec3eaec76 < 39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92affected
LinuxLinux3.4affected
LinuxLinux0 < 3.4unaffected
LinuxLinux5.10.165 <= 5.10.*unaffected
LinuxLinux5.15.90 <= 5.15.*unaffected
LinuxLinux6.1.8 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References