CVE-2022-49033 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
Syzkaller reported BUG as follows:
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80
Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in btrfs_run_qgroups() later outside of the spinlock context.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability CVE-2022-49033 represents a critical issue within the Linux kernel's btrfs filesystem implementation that stems from improper handling of sleep operations within invalid execution contexts. This flaw manifests specifically in the btrfs_qgroup_inherit() function where a sleeping function is invoked from a context that does not permit such operations, creating a potential system instability and crash scenario. The issue was identified through systematic kernel testing using syzkaller, a powerful fuzzer designed to detect kernel-level vulnerabilities. The reported BUG indicates that the kernel's scheduler encountered a sleeping function call from an inappropriate context, as evidenced by the call trace pointing to include/linux/sched/mm.h line 274, which is a critical kernel subsystem responsible for memory management and scheduling operations.
The technical root cause of this vulnerability lies in the improper synchronization mechanism within the qgroup (quota group) management system of the btrfs filesystem. When processing qgroup inheritance operations, the kernel attempts to allocate memory using kmem_cache_alloc() within a spinlock-protected context, which creates a deadlock scenario since memory allocation routines are not designed to sleep in such contexts. This violates fundamental kernel design principles where spinlocks must be held for minimal time and cannot invoke functions that may sleep. The function update_qgroup_limit_item() which is called from btrfs_qgroup_inherit() attempts to perform memory allocation while holding a spinlock, directly contradicting the kernel's locking requirements and leading to system crashes or undefined behavior. This type of error pattern aligns with CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities and improper locking scenarios.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the reliability and stability of btrfs filesystem operations, particularly during subvolume creation processes. When users or applications attempt to create snapshots or subvolumes through the btrfs_ioctl_snap_create_v2 interface, the system may become unstable, leading to kernel oops, system hangs, or complete system crashes. This vulnerability particularly affects systems heavily dependent on btrfs filesystems for data storage and management, potentially disrupting critical services and data operations. The attack surface is significant as it can be triggered through standard filesystem operations, making it a potential vector for denial-of-service attacks against systems running btrfs. According to ATT&CK framework, this vulnerability maps to T1499.004 (Evasion: File System Logical Chain Modification) and T1565.001 (Data Manipulation: Stored Data Manipulation) as it can compromise the integrity of filesystem operations and potentially lead to data corruption or loss during critical operations.
The fix implemented for CVE-2022-49033 addresses the core synchronization issue by restructuring the qgroup limit item update process to defer the actual limit item update outside of the spinlock context. This approach ensures that memory allocation operations, which may sleep, occur in a context where such operations are permitted. The solution involves calling qgroup_dirty() on the destination qgroup first, which marks the qgroup as requiring attention, and then performing the actual limit item update within btrfs_run_qgroups() at a later point when the system is in a proper context. This design pattern follows established kernel development practices for handling memory allocation within locked contexts, ensuring that spinlocks are not held during potentially blocking operations. The fix demonstrates proper understanding of kernel synchronization primitives and follows the principle of minimizing lock hold times while ensuring data consistency. The solution maintains the semantic correctness of the qgroup inheritance process while eliminating the dangerous sleep-in-lock scenario that led to the vulnerability. This approach also aligns with the kernel's design philosophy of separating concerns and ensuring that locking operations do not inadvertently cause system instability through improper function invocation sequences.