CVE-2022-49913 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix inode list leak during backref walking at find_parent_nodes()
During backref walking, at find_parent_nodes(), if we are dealing with a data extent and we get an error while resolving the indirect backrefs, at resolve_indirect_refs(), or in the while loop that iterates over the refs in the direct refs rbtree, we end up leaking the inode lists attached to the direct refs we have in the direct refs rbtree that were not yet added to the refs ulist passed as argument to find_parent_nodes(). Since they were not yet added to the refs ulist and prelim_release() does not free the lists, on error the caller can only free the lists attached to the refs that were added to the refs ulist, all the remaining refs get their inode lists never freed, therefore leaking their memory.
Fix this by having prelim_release() always free any attached inode list to each ref found in the rbtree, and have find_parent_nodes() set the ref's inode list to NULL once it transfers ownership of the inode list to a ref added to the refs ulist passed to find_parent_nodes().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/12/2025
The vulnerability described in CVE-2022-49913 represents a critical memory management flaw within the Linux kernel's btrfs file system implementation. This issue manifests during the backref walking process specifically at the find_parent_nodes() function where improper handling of inode list cleanup leads to memory leaks. The btrfs file system, designed for enterprise storage environments and widely adopted in cloud infrastructures, experiences this vulnerability when processing data extents and resolving backreferences. The flaw occurs in the context of metadata management where the kernel maintains reference counts and relationships between data blocks and inodes, making it particularly dangerous for systems relying on btrfs for critical data storage operations.
The technical root cause of this vulnerability lies in the improper synchronization between memory allocation and deallocation during backref resolution. When the system encounters errors while processing indirect backrefs through resolve_indirect_refs() or during iteration over direct refs in the rbtree structure, the code fails to properly release inode lists that were allocated but not yet transferred to the refs ulist. This creates a memory leak scenario where inode lists remain allocated indefinitely, with the preliminary release function prelim_release() only freeing lists attached to refs that were successfully added to the ulist. The rbtree data structure maintains direct refs that are never properly cleaned up, leading to progressive memory consumption that can eventually impact system stability and performance.
The operational impact of this vulnerability extends beyond simple memory leakage to potentially compromise system integrity and availability. Systems utilizing btrfs file systems, particularly those with high I/O workloads or extensive metadata operations, face increasing memory pressure that can lead to performance degradation or system crashes. The vulnerability affects the kernel's ability to properly manage memory resources during error conditions, which is particularly concerning in production environments where btrfs is commonly used for database storage, virtual machine storage, and container orchestration platforms. This memory leak can accumulate over time, especially in systems processing large volumes of data operations, potentially leading to resource exhaustion attacks that could be exploited by malicious actors to cause denial of service conditions.
The fix implemented addresses this vulnerability by modifying the memory management approach within the btrfs subsystem. The solution ensures that prelim_release() function always frees attached inode lists regardless of the processing state, while find_parent_nodes() properly nullifies the ref's inode list once ownership transfers to the refs ulist. This dual approach prevents the memory leak by guaranteeing that all allocated inode lists are properly cleaned up during error conditions. The mitigation aligns with security best practices for kernel memory management and follows established patterns for preventing resource leaks in operating system components. This fix directly addresses CWE-404, which describes improper resource release or cleanup, and aligns with ATT&CK techniques related to resource exhaustion and system stability compromise. The solution maintains backward compatibility while strengthening the kernel's resilience against memory management errors that could be exploited in adversarial environments.