In the Linux kernel, the following vulnerability has been resolved: btrfs:
fix deadlock between quota disable and qgroup rescan worker Quota disable
ioctl starts a transaction before waiting for the qgroup rescan worker
completes. However, this wait can be infinite and results in deadlock
because of circular dependency among the quota disable ioctl, the qgroup
rescan worker and the other task with transaction such as block group
relocation task. The deadlock happens with the steps following: 1) Task A
calls ioctl to disable quota. It starts a transaction and waits for qgroup
rescan worker completes. 2) Task B such as block group relocation task
starts a transaction and joins to the transaction that task A started. Then
task B commits to the transaction. In this commit, task B waits for a
commit by task A. 3) Task C as the qgroup rescan worker starts its job and
starts a transaction. In this transaction start, task C waits for
completion of the transaction that task A started and task B committed.
This deadlock was found with fstests test case btrfs/115 and a zoned
null_blk device. The test case enables and disables quota, and the block
group reclaim was triggered during the quota disable by chance. The
deadlock was also observed by running quota enable and disable in parallel
with ‘btrfs balance’ command on regular null_blk devices. An example report
of the deadlock: [372.469894] INFO: task kworker/u16:6:103 blocked for more
than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] “echo
0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message.
[372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2
flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan
btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] <TASK>
[372.521684] __schedule+0xb56/0x4850 [372.530104] ?
io_schedule_timeout+0x190/0x190 [372.538842] ?
lockdep_hardirqs_on+0x7e/0x100 [372.547092] ?
_raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270
[372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ?
btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ?
free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270
[372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264]
btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ?
lock_release+0x3a9/0x6d0 [372.613054] ?
btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ?
do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90
[372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404]
btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268]
process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0
[372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ?
rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90
[372.676172] ? process_one_work+0x1320/0x1320 [372.682440]
kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50
[372.693811] ? set_kthread_struct+0x100/0x100 [372.700052]
ret_from_fork+0x22/0x30 [372.705517] </TASK> [372.709747] INFO: task
btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not
tainted 5.16.0-rc8 #7 [372.745907] “echo 0 >
/proc/sys/kernel/hung_task_timeout_secs” disables this message.
[372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2
flags:0x00004000 [372.787776] Call Trace: [372.801652] <TASK> [372.812961]
__schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190
[372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ?
_raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270
[372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ?
btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ?
finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7
—truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-gcp-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-hwe-5.4 | < any | UNKNOWN |
git.kernel.org/linus/e804861bd4e69cc5fe1053eedcb024982dde8e48 (5.17-rc3)
git.kernel.org/stable/c/26b3901d20bf9da2c6a00cb1fb48932166f80a45
git.kernel.org/stable/c/31198e58c09e21d4f65c49d2361f76b87aca4c3f
git.kernel.org/stable/c/32747e01436aac8ef93fe85b5b523b4f3b52f040
git.kernel.org/stable/c/89d4cca583fc9594ee7d1a0bc986886d6fb587e6
git.kernel.org/stable/c/e804861bd4e69cc5fe1053eedcb024982dde8e48
launchpad.net/bugs/cve/CVE-2022-48734
nvd.nist.gov/vuln/detail/CVE-2022-48734
security-tracker.debian.org/tracker/CVE-2022-48734
www.cve.org/CVERecord?id=CVE-2022-48734