{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49850","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.230Z","datePublished":"2025-05-01T14:10:05.167Z","dateUpdated":"2026-05-11T19:07:57.952Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:57.952Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix deadlock in nilfs_count_free_blocks()\n\nA semaphore deadlock can occur if nilfs_get_block() detects metadata\ncorruption while locating data blocks and a superblock writeback occurs at\nthe same time:\n\ntask 1 task 2\n------ ------\n* A file operation *\nnilfs_truncate()\n nilfs_get_block()\n down_read(rwsem A) <--\n nilfs_bmap_lookup_contig()\n ... generic_shutdown_super()\n nilfs_put_super()\n * Prepare to write superblock *\n down_write(rwsem B) <--\n nilfs_cleanup_super()\n * Detect b-tree corruption * nilfs_set_log_cursor()\n nilfs_bmap_convert_error() nilfs_count_free_blocks()\n __nilfs_error() down_read(rwsem A) <--\n nilfs_set_error()\n down_write(rwsem B) <--\n\n *** DEADLOCK ***\n\nHere, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem)\nand then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata\ncorruption, __nilfs_error() is called from nilfs_bmap_convert_error()\ninside the lock section.\n\nSince __nilfs_error() calls nilfs_set_error() unless the filesystem is\nread-only and nilfs_set_error() attempts to writelock rwsem B (=\nnilfs->ns_sem) to write back superblock exclusively, hierarchical lock\nacquisition occurs in the order rwsem A -> rwsem B.\n\nNow, if another task starts updating the superblock, it may writelock\nrwsem B during the lock sequence above, and can deadlock trying to\nreadlock rwsem A in nilfs_count_free_blocks().\n\nHowever, there is actually no need to take rwsem A in\nnilfs_count_free_blocks() because it, within the lock section, only reads\na single integer data on a shared struct with\nnilfs_sufile_get_ncleansegs(). This has been the case after commit\naa474a220180 (\"nilfs2: add local variable to cache the number of clean\nsegments\"), that is, even before this bug was introduced.\n\nSo, this resolves the deadlock problem by just not taking the semaphore in\nnilfs_count_free_blocks()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nilfs2/the_nilfs.c"],"versions":[{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"3c89ca6d3dfa6c09c515807a7a97a521f5d5147e","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"8b4506cff6630bb474bb46a2a75c31e533a756ba","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"f0cc93080d4c09510b74ecba87fd778cca390bb1","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"36ff974b0310771417c0be64b64aa221bd70d63d","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"1d4ff73062096c21b47954d2996b4df259777bda","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"abc082aac0d9b6b926038fc3adb7008306581be2","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"cb029b54953420f7a2d65100f1c5107f14411bdc","status":"affected","versionType":"git"},{"version":"e828949e5b42bfd234ee537cdb7c5e3a577958a3","lessThan":"8ac932a4921a96ca52f61935dbba64ea87bbd5dc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nilfs2/the_nilfs.c"],"versions":[{"version":"2.6.38","status":"affected"},{"version":"0","lessThan":"2.6.38","status":"unaffected","versionType":"semver"},{"version":"4.9.334","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.300","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.267","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.225","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.155","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.79","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.9","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"4.9.334"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"4.14.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"4.19.267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"5.4.225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"5.10.155"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"5.15.79"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.0.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3c89ca6d3dfa6c09c515807a7a97a521f5d5147e"},{"url":"https://git.kernel.org/stable/c/8b4506cff6630bb474bb46a2a75c31e533a756ba"},{"url":"https://git.kernel.org/stable/c/f0cc93080d4c09510b74ecba87fd778cca390bb1"},{"url":"https://git.kernel.org/stable/c/36ff974b0310771417c0be64b64aa221bd70d63d"},{"url":"https://git.kernel.org/stable/c/1d4ff73062096c21b47954d2996b4df259777bda"},{"url":"https://git.kernel.org/stable/c/abc082aac0d9b6b926038fc3adb7008306581be2"},{"url":"https://git.kernel.org/stable/c/cb029b54953420f7a2d65100f1c5107f14411bdc"},{"url":"https://git.kernel.org/stable/c/8ac932a4921a96ca52f61935dbba64ea87bbd5dc"}],"title":"nilfs2: fix deadlock in nilfs_count_free_blocks()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-667","lang":"en","description":"CWE-667 Improper Locking"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T16:11:54.441454Z","id":"CVE-2022-49850","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T16:11:57.101Z"}}]}}