CVE-2022-50090

Source
https://cve.org/CVERecord?id=CVE-2022-50090
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50090.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50090
Downstream
Published
2025-06-18T11:02:30.088Z
Modified
2026-07-15T01:49:02.889598908Z
Summary
btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: replace BTRFSMAXEXTENTSIZE with fsinfo->maxextentsize

On zoned filesystem, data write out is limited by maxzoneappendsize, and a large ordered extent is split according the size of a bio. OTOH, the number of extents to be written is calculated using BTRFSMAXEXTENTSIZE, and that estimated number is used to reserve the metadata bytes to update and/or create the metadata items.

The metadata reservation is done at e.g, btrfsbufferedwrite() and then released according to the estimation changes. Thus, if the number of extent increases massively, the reserved metadata can run out.

The increase of the number of extents easily occurs on zoned filesystem if BTRFSMAXEXTENTSIZE > maxzoneappendsize. And, it causes the following warning on a small RAM environment with disabling metadata over-commit (in the following patch).

[75721.498492] ------------[ cut here ]------------ [75721.505624] BTRFS: block rsv 1 returned -28 [75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfsuseblockrsv+0x560/0x760 [btrfs] [75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109 [75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 [75721.607310] Workqueue: btrfs-endio-write btrfsworkhelper [btrfs] [75721.616209] RIP: 0010:btrfsuseblockrsv+0x560/0x760 [btrfs] [75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286 [75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000 [75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e [75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7 [75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28 [75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a [75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000 [75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0 [75721.730499] Call Trace: [75721.735166] <TASK> [75721.739886] btrfsalloctreeblock+0x1e1/0x1100 [btrfs] [75721.747545] ? btrfsallocloggedfileextent+0x550/0x550 [btrfs] [75721.756145] ? btrfsget32+0xea/0x2d0 [btrfs] [75721.762852] ? btrfsget32+0xea/0x2d0 [btrfs] [75721.769520] ? pushleafleft+0x420/0x620 [btrfs] [75721.776431] ? memcpy+0x4e/0x60 [75721.781931] splitleaf+0x433/0x12d0 [btrfs] [75721.788392] ? btrfsgettoken32+0x580/0x580 [btrfs] [75721.795636] ? pushfordoublesplit.isra.0+0x420/0x420 [btrfs] [75721.803759] ? leafspaceused+0x15d/0x1a0 [btrfs] [75721.811156] btrfssearchslot+0x1bc3/0x2790 [btrfs] [75721.818300] ? lockdowngrade+0x7c0/0x7c0 [75721.824411] ? freeextentbuffer.part.0+0x107/0x200 [btrfs] [75721.832456] ? splitleaf+0x12d0/0x12d0 [btrfs] [75721.839149] ? freeextentbuffer.part.0+0x14f/0x200 [btrfs] [75721.846945] ? freeextentbuffer+0x13/0x20 [btrfs] [75721.853960] ? btrfsreleasepath+0x4b/0x190 [btrfs] [75721.861429] btrfscsumfileblocks+0x85c/0x1500 [btrfs] [75721.869313] ? rcureadlockschedheld+0x16/0x80 [75721.876085] ? lockrelease+0x552/0xf80 [75721.881957] ? btrfsdelcsums+0x8c0/0x8c0 [btrfs] [75721.888886] ? _kasancheckwrite+0x14/0x20 [75721.895152] ? dorawreadunlock+0x44/0x80 [75721.901323] ? rawwritelockirq+0x60/0x80 [75721.907983] ? btrfsglobalroot+0xb9/0xe0 [btrfs] [75721.915166] ? btrfscsumroot+0x12b/0x180 [btrfs] [75721.921918] ? btrfsgetglobalroot+0x820/0x820 [btrfs] [75721.929166] ? rawwriteunlock+0x23/0x40 [75721.935116] ? unpinextentcache+0x1e3/0x390 [btrfs] [75721.942041] btrfsfinishorderedio.isra.0+0xa0c/0x1dc0 [btrfs] [75721.949906] ? trytowakeup+0x30/0x14a0 [75721.955700] ? btrfsunlinksubvol+0xda0/0xda0 [btrfs] [75721.962661] ? rcu ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50090.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d8e3fb106f393858b90b3befc4f6092a76c86d1c
Fixed
1aa262c1d056551dd1246115af8b7e351184deae
Fixed
6cb4b96df97082a54634ba02196516919cda228c
Fixed
096e8eb9639b342bc35f9b741cf05e26d0106e92
Fixed
f7b12a62f008a3041f42f2426983e59a6a0a3c59

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50090.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.12.0
Fixed
5.15.64
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.18.18
Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
5.19.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50090.json"