CVE-2022-48664 in Linux
Summary
by MITRE • 04/28/2024
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix hang during unmount when stopping a space reclaim worker
Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this:
Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]
Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]
Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]
Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel:
What happens is the following:
1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work);
2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability CVE-2022-48664 represents a critical deadlock condition within the btrfs filesystem implementation of the Linux kernel, specifically during unmount operations when space reclaim worker threads are being terminated. This issue manifests as a system hang that prevents proper filesystem unmounting, creating a denial of service scenario that can severely impact system availability and stability. The vulnerability is classified under CWE-362, which addresses concurrent execution issues, particularly race conditions and deadlock scenarios that can occur in multi-threaded environments. The root cause lies in improper synchronization mechanisms within the btrfs kernel module when managing background cleanup operations during filesystem shutdown.
The technical flaw occurs when the btrfs filesystem attempts to clean up space reclaim worker threads during unmount operations. The cleaner kernel thread initiates a transaction to delete unused block groups but encounters metadata reservation failures that trigger the creation of reservation tickets. This process then starts asynchronous metadata reclaim tasks through the fs_info->async_reclaim_work mechanism. However, when the unmount process attempts to cancel these work items using __cancel_work_timer, it encounters a deadlock situation where the cancellation process itself becomes blocked. The stack trace reveals that the umount process gets stuck in __schedule for over 120 seconds, indicating that a thread is waiting indefinitely for resources that are never released.
The operational impact of this vulnerability extends beyond simple system hang conditions to potentially compromise system reliability and availability in production environments. When systems attempt to unmount btrfs filesystems, particularly those under heavy metadata load or during testing scenarios like generic/562 from fstests, the system becomes unresponsive and may require forced rebooting. This vulnerability affects any Linux system running btrfs filesystems and is particularly problematic in environments where automated unmount operations or regular filesystem maintenance routines are performed. The issue is exacerbated by the fact that it occurs during critical system shutdown or maintenance operations, making it difficult to recover without manual intervention.
Mitigation strategies for CVE-2022-48664 involve both immediate system-level fixes and preventive measures for system administrators. The primary solution requires applying the kernel patch that resolves the synchronization issue in the btrfs filesystem implementation, specifically addressing how the space reclaim worker threads are managed during unmount operations. System administrators should prioritize kernel updates that include the fix for this vulnerability, particularly in production environments where btrfs filesystems are actively used. Additionally, monitoring systems should be configured to detect hung task conditions and automatically trigger alerts when similar patterns occur, allowing for proactive intervention before complete system lockup occurs. The fix addresses the underlying concurrency issue by properly managing work item cancellation and ensuring that background threads can be cleanly terminated without causing deadlock conditions during filesystem shutdown operations.