CVE-2022-50089 in Linuxinfo

Summary

by MITRE • 06/18/2025

In the Linux kernel, the following vulnerability has been resolved:

btrfs: ensure pages are unlocked on cow_file_range() failure

There is a hung_task report on zoned btrfs like below.

https://github.com/naota/linux/issues/59

[726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.
[726.329839] Not tainted 5.16.0-rc1+ #1
[726.330484] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[726.331603] task:rocksdb:high0 state:D stack: 0 pid:11085 ppid: 11082 flags:0x00000000
[726.331608] Call Trace:
[726.331611] <TASK>
[726.331614] __schedule+0x2e5/0x9d0
[726.331622] schedule+0x58/0xd0
[726.331626] io_schedule+0x3f/0x70
[726.331629] __folio_lock+0x125/0x200
[726.331634] ? find_get_entries+0x1bc/0x240
[726.331638] ? filemap_invalidate_unlock_two+0x40/0x40
[726.331642] truncate_inode_pages_range+0x5b2/0x770
[726.331649] truncate_inode_pages_final+0x44/0x50
[726.331653] btrfs_evict_inode+0x67/0x480
[726.331658] evict+0xd0/0x180
[726.331661] iput+0x13f/0x200
[726.331664] do_unlinkat+0x1c0/0x2b0
[726.331668] __x64_sys_unlink+0x23/0x30
[726.331670] do_syscall_64+0x3b/0xc0
[726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae
[726.331677] RIP: 0033:0x7fb9490a171b
[726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b
[726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300
[726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000
[726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000
[726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260
[726.331693] </TASK>

While we debug the issue, we found running fstests generic/551 on 5GB non-zoned null_blk device in the emulated zoned mode also had a similar hung issue.

Also, we can reproduce the same symptom with an error injected cow_file_range() setup.

The hang occurs when cow_file_range() fails in the middle of allocation. cow_file_range() called from do_allocation_zoned() can split the give region ([start, end]) for allocation depending on
current block group usages. When btrfs can allocate bytes for one part of the split regions but fails for the other region (e.g. because of -ENOSPC), we return the error leaving the pages in the succeeded regions locked. Technically, this occurs only when @unlock == 0. Otherwise, we unlock the pages in an allocated region after creating an ordered extent.

Considering the callers of cow_file_range(unlock=0) won't write out the pages, we can unlock the pages on error exit from cow_file_range(). So, we can ensure all the pages except @locked_page are unlocked on error case.

In summary, cow_file_range now behaves like this:

- page_started == 1 (return value) - All the pages are unlocked. IO is started. - unlock == 1 - All the pages except @locked_page are unlocked in any case - unlock == 0 - On success, all the pages are locked for writing out them - On failure, all the pages except @locked_page are unlocked

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/30/2025

The vulnerability described in CVE-2022-50089 affects the Linux kernel's btrfs filesystem implementation and represents a critical resource management flaw that can lead to system hangs and denial of service conditions. This issue specifically manifests when the cow_file_range() function fails during the copy-on-write operation on zoned btrfs filesystems, leaving memory pages in an inconsistent locked state. The problem was identified through hung_task reports where processes like rocksdb became blocked for extended periods, indicating that kernel threads were unable to proceed due to locked resources that were never properly released. The vulnerability occurs in the context of zoned storage environments where the filesystem must manage complex allocation patterns across different block group usages, making it particularly problematic for storage systems that rely on zoned media characteristics.

The technical root cause of this vulnerability lies in improper error handling within the cow_file_range() function, which is called from do_allocation_zoned() during the allocation process. When the function attempts to split a given region for allocation and succeeds in allocating bytes for one part of the split regions but fails for another part due to conditions like -ENOSPC (no space left on device), the function returns an error while leaving pages that were successfully allocated in a locked state. This occurs specifically when the unlock parameter is set to 0, which indicates that the caller does not intend to write out the pages immediately. The function's behavior becomes inconsistent because it only unlocks pages on successful completion but fails to release pages on error paths when unlock == 0, creating a resource leak that can accumulate over time and eventually lead to system instability.

The operational impact of this vulnerability extends beyond simple resource leakage to potentially cause complete system hangs and service disruption. When processes attempt to perform file operations such as unlinking files or truncating data, they can become blocked indefinitely waiting for locked pages to be released, which can affect database operations, storage management tasks, and general system responsiveness. The issue was reproducible through specific test scenarios including running fstests generic/551 on emulated zoned storage environments, demonstrating that the vulnerability is not limited to specific hardware configurations but can occur in various zoned storage setups. This makes the vulnerability particularly concerning for production environments where storage reliability and system availability are critical requirements.

The fix implemented addresses the core issue by ensuring that all pages except the locked_page are properly unlocked when cow_file_range() fails, regardless of the unlock parameter value. This change brings consistency to the function's behavior by ensuring that error paths properly clean up resources, preventing the accumulation of locked pages that would otherwise cause system hangs. The solution aligns with established security practices for resource management and follows the principle of least privilege by ensuring that kernel resources are always properly released. This vulnerability demonstrates the importance of proper error handling in kernel code, particularly in filesystem implementations where resource management directly impacts system stability. The fix also relates to CWE-404, which addresses improper resource release, and can be mapped to ATT&CK technique T1489, which involves denying access to resources through system manipulation. The resolution ensures that btrfs filesystem operations maintain proper state management even under failure conditions, improving the overall reliability of zoned storage implementations and preventing the types of system hangs that can occur when kernel resources are not properly managed.

Responsible

Linux

Reservation

06/18/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!