Bug 2396384 (CVE-2022-50379) - CVE-2022-50379 kernel: btrfs: fix race between quota enable and quota rescan ioctl
Summary: CVE-2022-50379 kernel: btrfs: fix race between quota enable and quota rescan ...
Keywords:
Status: NEW
Alias: CVE-2022-50379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-18 14:01 UTC by OSIDB Bzimport
Modified: 2025-09-18 15:08 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-18 14:01:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between quota enable and quota rescan ioctl

When enabling quotas, at btrfs_quota_enable(), after committing the
transaction, we change fs_info->quota_root to point to the quota root we
created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try
to start the qgroup rescan worker, first by initializing it with a call
to qgroup_rescan_init() - however if that fails we end up freeing the
quota root but we leave fs_info->quota_root still pointing to it, this
can later result in a use-after-free somewhere else.

We have previously set the flags BTRFS_FS_QUOTA_ENABLED and
BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at
btrfs_quota_enable(), which is possible if someone already called the
quota rescan ioctl, and therefore started the rescan worker.

So fix this by ignoring an -EINPROGRESS and asserting we can't get any
other error.
Comment 1 Keith Grant 2025-09-18 15:05:52 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091851-CVE-2022-50379-a7c6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.