CVE-2022-49999

EUVD-2022-55278

18.06.2025, 11:15

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix space cache corruption and potential double allocations

When testing space_cache v2 on a large set of machines, we encountered a
few symptoms:

1. "unable to add free space :-17" (EEXIST) errors.
2. Missing free space info items, sometimes caught with a "missing free
   space info for X" error.
3. Double-accounted space: ranges that were allocated in the extent tree
   and also marked as free in the free space tree, ranges that were
   marked as allocated twice in the extent tree, or ranges that were
   marked as free twice in the free space tree. If the latter made it
   onto disk, the next reboot would hit the BUG_ON() in
   add_new_free_space().
4. On some hosts with no on-disk corruption or error messages, the
   in-memory space cache (dumped with drgn) disagreed with the free
   space tree.

All of these symptoms have the same underlying cause: a race between
caching the free space for a block group and returning free space to the
in-memory space cache for pinned extents causes us to double-add a free
range to the space cache. This race exists when free space is cached
from the free space tree (space_cache=v2) or the extent tree
(nospace_cache, or space_cache=v1 if the cache needs to be regenerated).
struct btrfs_block_group::last_byte_to_unpin and struct
btrfs_block_group::progress are supposed to protect against this race,
but commit d0c2f4fa555e ("btrfs: make concurrent fsyncs wait less when
waiting for a transaction commit") subtly broke this by allowing
multiple transactions to be unpinning extents at the same time.

Specifically, the race is as follows:

1. An extent is deleted from an uncached block group in transaction A.
2. btrfs_commit_transaction() is called for transaction A.
3. btrfs_run_delayed_refs() -> __btrfs_free_extent() runs the delayed
   ref for the deleted extent.
4. __btrfs_free_extent() -> do_free_extent_accounting() ->
   add_to_free_space_tree() adds the deleted extent back to the free
   space tree.
5. do_free_extent_accounting() -> btrfs_update_block_group() ->
   btrfs_cache_block_group() queues up the block group to get cached.
   block_group->progress is set to block_group->start.
6. btrfs_commit_transaction() for transaction A calls
   switch_commit_roots(). It sets block_group->last_byte_to_unpin to
   block_group->progress, which is block_group->start because the block
   group hasn't been cached yet.
7. The caching thread gets to our block group. Since the commit roots
   were already switched, load_free_space_tree() sees the deleted extent
   as free and adds it to the space cache. It finishes caching and sets
   block_group->progress to U64_MAX.
8. btrfs_commit_transaction() advances transaction A to
   TRANS_STATE_SUPER_COMMITTED.
9. fsync calls btrfs_commit_transaction() for transaction B. Since
   transaction A is already in TRANS_STATE_SUPER_COMMITTED and the
   commit is for fsync, it advances.
10. btrfs_commit_transaction() for transaction B calls
    switch_commit_roots(). This time, the block group has already been
    cached, so it sets block_group->last_byte_to_unpin to U64_MAX.
11. btrfs_commit_transaction() for transaction A calls
    btrfs_finish_extent_commit(), which calls unpin_extent_range() for
    the deleted extent. It sees last_byte_to_unpin set to U64_MAX (by
    transaction B!), so it adds the deleted extent to the space cache
    again!

This explains all of our symptoms above:

* If the sequence of events is exactly as described above, when the free
  space is re-added in step 11, it will fail with EEXIST.
* If another thread reallocates the deleted extent in between steps 7
  and 11, then step 11 will silently re-add that space to the space
  cache as free even though it is actually allocated. Then, if that
  space is allocated *again*, the free space tree will be corrupted
  (namely, the wrong item will be deleted).
* If we don't catch this free space tree corr
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.12 ≤ 𝑥 < 5.15.65
linux	linux_kernel	5.16 ≤ 𝑥 < 5.19.6
linux	linux_kernel	6.0:rc1
linux	linux_kernel	6.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.137-1 fixed
bookworm (security)	6.1.140-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
sid	6.12.32-1 fixed
trixie	6.12.32-1 fixed
trixie (security)	6.12.31-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-hwe

jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-azure-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-gcp-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	ignored

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-iot-realtime

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-lowlatency

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-lts-xenial

jammy	dne
noble	dne
oracular	dne
plucky	dne
trusty	needs-triage

linux-nvidia

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.17

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-6.0

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.1

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.8

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-raspi-realtime

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-realtime

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv

focal	ignored
jammy	ignored
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-starfive-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/92dc4c1a8e58bcc7a183a4c86b055c24cc88d967

https://git.kernel.org/stable/c/a2e54eb64229f07f917b05d0c323604fda9b89f7

https://git.kernel.org/stable/c/ced8ecf026fd8084cf175530ff85c76d6085d715