DEBIAN-CVE-2022-49702

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when block group reclaim task is running When we start an unmount, at closectree(), if we have the reclaim task running and in the middle of a data block group relocation, we can trigger a deadlock when stopping an async reclaim task, producing a trace like the following: [629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000 [629724.499760] Workqueue: eventsunbound btrfsasyncreclaimmetadataspace [btrfs] [629724.501267] Call Trace: [629724.501759] <TASK> [629724.502174] __schedule+0x3cb/0xed0 [629724.502842] schedule+0x4e/0xb0 [629724.503447] btrfswaiton_delayediputs+0x7c/0xc0 [btrfs] [629724.504534] ? preparetowaitexclusive+0xc0/0xc0 [629724.505442] flushspace+0x423/0x630 [btrfs] [629724.506296] ? rcureadunlocktracespecial+0x20/0x50 [629724.507259] ? lockrelease+0x220/0x4a0 [629724.507932] ? btrfsgetallocprofile+0xb3/0x290 [btrfs] [629724.508940] ? dorawspinunlock+0x4b/0xa0 [629724.509688] btrfsasyncreclaimmetadataspace+0x139/0x320 [btrfs] [629724.510922] processonework+0x252/0x5a0 [629724.511694] ? processonework+0x5a0/0x5a0 [629724.512508] workerthread+0x52/0x3b0 [629724.513220] ? processonework+0x5a0/0x5a0 [629724.514021] kthread+0xf2/0x120 [629724.514627] ? kthreadcompleteandexit+0x20/0x20 [629724.515526] retfromfork+0x22/0x30 [629724.516236] </TASK> [629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000 [629724.518269] Call Trace: [629724.518746] <TASK> [629724.519160] __schedule+0x3cb/0xed0 [629724.519835] schedule+0x4e/0xb0 [629724.520467] scheduletimeout+0xed/0x130 [629724.521221] ? lockrelease+0x220/0x4a0 [629724.521946] ? lock_acquired+0x19c/0x420 [629724.522662] ? tracehardirqson+0x1b/0xe0 [629724.523411] __waitforcommon+0xaf/0x1f0 [629724.524189] ? usleeprangestate+0xb0/0xb0 [629724.524997] __flushwork+0x26d/0x530 [629724.525698] ? flushworkqueuepreppwqs+0x140/0x140 [629724.526580] ? lock_acquire+0x1a0/0x310 [629724.527324] _cancelworktimer+0x137/0x1c0 [629724.528190] closectree+0xfd/0x531 [btrfs] [629724.529000] ? evictinodes+0x166/0x1c0 [629724.529510] genericshutdownsuper+0x74/0x120 [629724.530103] killanonsuper+0x14/0x30 [629724.530611] btrfskillsuper+0x12/0x20 [btrfs] [629724.531246] deactivatelockedsuper+0x31/0xa0 [629724.531817] cleanupmnt+0x147/0x1c0 [629724.532319] taskworkrun+0x5c/0xa0 [629724.532984] exittousermodeprepare+0x1a6/0x1b0 [629724.533598] syscallexittousermode+0x16/0x40 [629724.534200] dosyscall64+0x48/0x90 [629724.534667] entrySYSCALL64afterhwframe+0x44/0xae [629724.535318] RIP: 0033:0x7fa2b90437a7 [629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIGRAX: 00000000000000a6 [629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7 [629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0 [629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200 [629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000 [629724.541796] </TASK> This happens because: 1) Before entering closectree() we have the async block group reclaim task running and relocating a data block group; 2) There's an async metadata (or data) space reclaim task running; 3) We enter closectree() and park the cleaner kthread; 4) The async space reclaim task is at flushspace() and runs all the existing delayed iputs; 5) Before the async space reclaim task calls btrfswaitondelayediputs(), the block group reclaim task which is doing the data block group relocation, creates a delayed iput at replacefileextents() (called when COWing leaves that have file extent items pointing to relocated data exten ---truncated---