{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50089","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.410Z","datePublished":"2025-06-18T11:02:29.451Z","dateUpdated":"2026-05-11T19:12:36.948Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:12:36.948Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure pages are unlocked on cow_file_range() failure\n\nThere is a hung_task report on zoned btrfs like below.\n\nhttps://github.com/naota/linux/issues/59\n\n  [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\n  [726.329839]       Not tainted 5.16.0-rc1+ #1\n  [726.330484] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  [726.331603] task:rocksdb:high0   state:D stack:    0 pid:11085 ppid: 11082 flags:0x00000000\n  [726.331608] Call Trace:\n  [726.331611]  <TASK>\n  [726.331614]  __schedule+0x2e5/0x9d0\n  [726.331622]  schedule+0x58/0xd0\n  [726.331626]  io_schedule+0x3f/0x70\n  [726.331629]  __folio_lock+0x125/0x200\n  [726.331634]  ? find_get_entries+0x1bc/0x240\n  [726.331638]  ? filemap_invalidate_unlock_two+0x40/0x40\n  [726.331642]  truncate_inode_pages_range+0x5b2/0x770\n  [726.331649]  truncate_inode_pages_final+0x44/0x50\n  [726.331653]  btrfs_evict_inode+0x67/0x480\n  [726.331658]  evict+0xd0/0x180\n  [726.331661]  iput+0x13f/0x200\n  [726.331664]  do_unlinkat+0x1c0/0x2b0\n  [726.331668]  __x64_sys_unlink+0x23/0x30\n  [726.331670]  do_syscall_64+0x3b/0xc0\n  [726.331674]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n  [726.331677] RIP: 0033:0x7fb9490a171b\n  [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\n  [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\n  [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\n  [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\n  [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\n  [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\n  [726.331693]  </TASK>\n\nWhile we debug the issue, we found running fstests generic/551 on 5GB\nnon-zoned null_blk device in the emulated zoned mode also had a\nsimilar hung issue.\n\nAlso, we can reproduce the same symptom with an error injected\ncow_file_range() setup.\n\nThe hang occurs when cow_file_range() fails in the middle of\nallocation. cow_file_range() called from do_allocation_zoned() can\nsplit the give region ([start, end]) for allocation depending on\ncurrent block group usages. When btrfs can allocate bytes for one part\nof the split regions but fails for the other region (e.g. because of\n-ENOSPC), we return the error leaving the pages in the succeeded regions\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\nunlock the pages in an allocated region after creating an ordered\nextent.\n\nConsidering the callers of cow_file_range(unlock=0) won't write out\nthe pages, we can unlock the pages on error exit from\ncow_file_range(). So, we can ensure all the pages except @locked_page\nare unlocked on error case.\n\nIn summary, cow_file_range now behaves like this:\n\n- page_started == 1 (return value)\n  - All the pages are unlocked. IO is started.\n- unlock == 1\n  - All the pages except @locked_page are unlocked in any case\n- unlock == 0\n  - On success, all the pages are locked for writing out them\n  - On failure, all the pages except @locked_page are unlocked"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"42c011000963442ce533d92a492c4a057b2f5a46","lessThan":"b367f125c80fa838eae49e3b138dc67dfc9f46ef","status":"affected","versionType":"git"},{"version":"42c011000963442ce533d92a492c4a057b2f5a46","lessThan":"9535ec371d741fa037e37eddc0a5b25ba82d0027","status":"affected","versionType":"git"},{"version":"42c011000963442ce533d92a492c4a057b2f5a46","lessThan":"e160aa87c87a9c4e0c8d1430235f715a3a91e2cd","status":"affected","versionType":"git"},{"version":"42c011000963442ce533d92a492c4a057b2f5a46","lessThan":"9ce7466f372d83054c7494f6b3e4b9abaf3f0355","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"5.12","status":"affected"},{"version":"0","lessThan":"5.12","status":"unaffected","versionType":"semver"},{"version":"5.15.61","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.18.18","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19.2","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.15.61"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.18.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.19.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b367f125c80fa838eae49e3b138dc67dfc9f46ef"},{"url":"https://git.kernel.org/stable/c/9535ec371d741fa037e37eddc0a5b25ba82d0027"},{"url":"https://git.kernel.org/stable/c/e160aa87c87a9c4e0c8d1430235f715a3a91e2cd"},{"url":"https://git.kernel.org/stable/c/9ce7466f372d83054c7494f6b3e4b9abaf3f0355"}],"title":"btrfs: ensure pages are unlocked on cow_file_range() failure","x_generator":{"engine":"bippy-1.2.0"}}}}