{"id":"CVE-2022-49850","summary":"nilfs2: fix deadlock in nilfs_count_free_blocks()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix deadlock in nilfs_count_free_blocks()\n\nA semaphore deadlock can occur if nilfs_get_block() detects metadata\ncorruption while locating data blocks and a superblock writeback occurs at\nthe same time:\n\ntask 1                               task 2\n------                               ------\n* A file operation *\nnilfs_truncate()\n  nilfs_get_block()\n    down_read(rwsem A) \u003c--\n    nilfs_bmap_lookup_contig()\n      ...                            generic_shutdown_super()\n                                       nilfs_put_super()\n                                         * Prepare to write superblock *\n                                         down_write(rwsem B) \u003c--\n                                         nilfs_cleanup_super()\n      * Detect b-tree corruption *         nilfs_set_log_cursor()\n      nilfs_bmap_convert_error()             nilfs_count_free_blocks()\n        __nilfs_error()                        down_read(rwsem A) \u003c--\n          nilfs_set_error()\n            down_write(rwsem B) \u003c--\n\n                           *** DEADLOCK ***\n\nHere, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)-\u003emi_sem)\nand then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata\ncorruption, __nilfs_error() is called from nilfs_bmap_convert_error()\ninside the lock section.\n\nSince __nilfs_error() calls nilfs_set_error() unless the filesystem is\nread-only and nilfs_set_error() attempts to writelock rwsem B (=\nnilfs-\u003ens_sem) to write back superblock exclusively, hierarchical lock\nacquisition occurs in the order rwsem A -\u003e rwsem B.\n\nNow, if another task starts updating the superblock, it may writelock\nrwsem B during the lock sequence above, and can deadlock trying to\nreadlock rwsem A in nilfs_count_free_blocks().\n\nHowever, there is actually no need to take rwsem A in\nnilfs_count_free_blocks() because it, within the lock section, only reads\na single integer data on a shared struct with\nnilfs_sufile_get_ncleansegs().  This has been the case after commit\naa474a220180 (\"nilfs2: add local variable to cache the number of clean\nsegments\"), that is, even before this bug was introduced.\n\nSo, this resolves the deadlock problem by just not taking the semaphore in\nnilfs_count_free_blocks().","modified":"2026-04-03T13:14:21.382932694Z","published":"2025-05-01T14:10:05.167Z","related":["SUSE-SU-2025:01918-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49850.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1d4ff73062096c21b47954d2996b4df259777bda"},{"type":"WEB","url":"https://git.kernel.org/stable/c/36ff974b0310771417c0be64b64aa221bd70d63d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c89ca6d3dfa6c09c515807a7a97a521f5d5147e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ac932a4921a96ca52f61935dbba64ea87bbd5dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8b4506cff6630bb474bb46a2a75c31e533a756ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abc082aac0d9b6b926038fc3adb7008306581be2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb029b54953420f7a2d65100f1c5107f14411bdc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f0cc93080d4c09510b74ecba87fd778cca390bb1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49850.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49850"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e828949e5b42bfd234ee537cdb7c5e3a577958a3"},{"fixed":"3c89ca6d3dfa6c09c515807a7a97a521f5d5147e"},{"fixed":"8b4506cff6630bb474bb46a2a75c31e533a756ba"},{"fixed":"f0cc93080d4c09510b74ecba87fd778cca390bb1"},{"fixed":"36ff974b0310771417c0be64b64aa221bd70d63d"},{"fixed":"1d4ff73062096c21b47954d2996b4df259777bda"},{"fixed":"abc082aac0d9b6b926038fc3adb7008306581be2"},{"fixed":"cb029b54953420f7a2d65100f1c5107f14411bdc"},{"fixed":"8ac932a4921a96ca52f61935dbba64ea87bbd5dc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49850.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}