{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49068","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.244Z","datePublished":"2025-02-26T01:54:35.340Z","dateUpdated":"2025-05-04T12:44:14.425Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:44:14.425Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release correct delalloc amount in direct IO write path\n\nRunning generic/406 causes the following WARNING in btrfs_destroy_inode()\nwhich tells there are outstanding extents left.\n\nIn btrfs_get_blocks_direct_write(), we reserve a temporary outstanding\nextents with btrfs_delalloc_reserve_metadata() (or indirectly from\nbtrfs_delalloc_reserve_space(()). We then release the outstanding extents\nwith btrfs_delalloc_release_extents(). However, the \"len\" can be modified\nin the COW case, which releases fewer outstanding extents than expected.\n\nFix it by calling btrfs_delalloc_release_extents() for the original length.\n\nTo reproduce the warning, the filesystem should be 1 GiB.  It's\ntriggering a short-write, due to not being able to allocate a large\nextent and instead allocating a smaller one.\n\n  WARNING: CPU: 0 PID: 757 at fs/btrfs/inode.c:8848 btrfs_destroy_inode+0x1e6/0x210 [btrfs]\n  Modules linked in: btrfs blake2b_generic xor lzo_compress\n  lzo_decompress raid6_pq zstd zstd_decompress zstd_compress xxhash zram\n  zsmalloc\n  CPU: 0 PID: 757 Comm: umount Not tainted 5.17.0-rc8+ #101\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n  RIP: 0010:btrfs_destroy_inode+0x1e6/0x210 [btrfs]\n  RSP: 0018:ffffc9000327bda8 EFLAGS: 00010206\n  RAX: 0000000000000000 RBX: ffff888100548b78 RCX: 0000000000000000\n  RDX: 0000000000026900 RSI: 0000000000000000 RDI: ffff888100548b78\n  RBP: ffff888100548940 R08: 0000000000000000 R09: ffff88810b48aba8\n  R10: 0000000000000001 R11: ffff8881004eb240 R12: ffff88810b48a800\n  R13: ffff88810b48ec08 R14: ffff88810b48ed00 R15: ffff888100490c68\n  FS:  00007f8549ea0b80(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f854a09e733 CR3: 000000010a2e9003 CR4: 0000000000370eb0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   <TASK>\n   destroy_inode+0x33/0x70\n   dispose_list+0x43/0x60\n   evict_inodes+0x161/0x1b0\n   generic_shutdown_super+0x2d/0x110\n   kill_anon_super+0xf/0x20\n   btrfs_kill_super+0xd/0x20 [btrfs]\n   deactivate_locked_super+0x27/0x90\n   cleanup_mnt+0x12c/0x180\n   task_work_run+0x54/0x80\n   exit_to_user_mode_prepare+0x152/0x160\n   syscall_exit_to_user_mode+0x12/0x30\n   do_syscall_64+0x42/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n   RIP: 0033:0x7f854a000fb7"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"5afd80c393f4e87451f14eefb7f2f24daf434e06","lessThan":"07cacfd9d9dc134557ac8866c73d570a59b3d1f3","status":"affected","versionType":"git"},{"version":"f0bfa76a11e93d0fe2c896fcb566568c5e8b5d3f","lessThan":"a04d37ddfe4be431b9e52e8504490376ab0a39a4","status":"affected","versionType":"git"},{"version":"f0bfa76a11e93d0fe2c896fcb566568c5e8b5d3f","lessThan":"6d82ad13c4110e73c7b0392f00534a1502a1b520","status":"affected","versionType":"git"},{"version":"96f1be29492d9e2fb97bb27f824478ab8cd3ab86","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"5.17","status":"affected"},{"version":"0","lessThan":"5.17","status":"unaffected","versionType":"semver"},{"version":"5.15.35","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.4","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.27","versionEndExcluding":"5.15.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07cacfd9d9dc134557ac8866c73d570a59b3d1f3"},{"url":"https://git.kernel.org/stable/c/a04d37ddfe4be431b9e52e8504490376ab0a39a4"},{"url":"https://git.kernel.org/stable/c/6d82ad13c4110e73c7b0392f00534a1502a1b520"}],"title":"btrfs: release correct delalloc amount in direct IO write path","x_generator":{"engine":"bippy-1.2.0"}}}}