CVE-2022-48664
Fecha de publicación:
28/04/2024
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: fix hang during unmount when stopping a space reclaim worker<br />
<br />
Often when running generic/562 from fstests we can hang during unmount,<br />
resulting in a trace like this:<br />
<br />
Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00<br />
Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.<br />
Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1<br />
Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br />
Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000<br />
Sep 07 11:55:32 debian9 kernel: Call Trace:<br />
Sep 07 11:55:32 debian9 kernel: <br />
Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0<br />
Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70<br />
Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0<br />
Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130<br />
Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0<br />
Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420<br />
Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0<br />
Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200<br />
Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0<br />
Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530<br />
Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140<br />
Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30<br />
Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0<br />
Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]<br />
Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170<br />
Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]<br />
Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0<br />
Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120<br />
Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30<br />
Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]<br />
Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0<br />
Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160<br />
Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0<br />
Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0<br />
Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40<br />
Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90<br />
Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7<br />
Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br />
Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7<br />
Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0<br />
Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570<br />
Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br />
Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000<br />
Sep 07 11:55:32 debian9 kernel: <br />
<br />
What happens is the following:<br />
<br />
1) The cleaner kthread tries to start a transaction to delete an unused<br />
block group, but the metadata reservation can not be satisfied right<br />
away, so a reservation ticket is created and it starts the async<br />
metadata reclaim task (fs_info->async_reclaim_work);<br />
<br />
2) Writeback for all the filler inodes with an i_size of 2K starts<br />
(generic/562 creates a lot of 2K files with the goal of filling<br />
metadata space). We try to create an inline extent for them, but we<br />
fail when trying to insert the inline extent with -ENOSPC (at<br />
cow_file_range_inline()) - since this is not critical, we fallback<br />
to non-inline mode (back to cow_file_range()), reserve extents<br />
---truncated---
Severidad:
Pendiente de análisis
Última modificación:
28/04/2024