CVE-2022-49880

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49880
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49880.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49880
Downstream
Related
Published
2025-05-01T14:10:27.947Z
Modified
2025-11-26T19:33:12.295050Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ext4: fix warning in 'ext4_da_release_space'
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix warning in 'ext4darelease_space'

Syzkaller report issue as follows: EXT4-fs (loop0): Free/Dirty block details EXT4-fs (loop0): freeblocks=0 EXT4-fs (loop0): dirtyblocks=0 EXT4-fs (loop0): Block reservation details EXT4-fs (loop0): ireserveddatablocks=0 EXT4-fs warning (device loop0): ext4dareleasespace:1527: ext4dareleasespace: ino 18, tofree 1 with only 0 reserved data blocks ------------[ cut here ]------------ WARNING: CPU: 0 PID: 92 at fs/ext4/inode.c:1528 ext4dareleasespace+0x25e/0x370 fs/ext4/inode.c:1524 Modules linked in: CPU: 0 PID: 92 Comm: kworker/u4:4 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: writeback wbworkfn (flush-7:0) RIP: 0010:ext4dareleasespace+0x25e/0x370 fs/ext4/inode.c:1528 RSP: 0018:ffffc900015f6c90 EFLAGS: 00010296 RAX: 42215896cd52ea00 RBX: 0000000000000000 RCX: 42215896cd52ea00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: 1ffff1100e907d96 R08: ffffffff816aa79d R09: fffff520002bece5 R10: fffff520002bece5 R11: 1ffff920002bece4 R12: ffff888021fd2000 R13: ffff88807483ecb0 R14: 0000000000000001 R15: ffff88807483e740 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555569ba628 CR3: 000000000c88e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4esremoveextent+0x1ab/0x260 fs/ext4/extentsstatus.c:1461 mpagereleaseunusedpages+0x24d/0xef0 fs/ext4/inode.c:1589 ext4writepages+0x12eb/0x3be0 fs/ext4/inode.c:2852 dowritepages+0x3c3/0x680 mm/page-writeback.c:2469 _writebacksingleinode+0xd1/0x670 fs/fs-writeback.c:1587 writebacksbinodes+0xb3b/0x18f0 fs/fs-writeback.c:1870 wbwriteback+0x41f/0x7b0 fs/fs-writeback.c:2044 wbdowriteback fs/fs-writeback.c:2187 [inline] wbworkfn+0x3cb/0xef0 fs/fs-writeback.c:2227 processonework+0x877/0xdb0 kernel/workqueue.c:2289 workerthread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>

Above issue may happens as follows: ext4dawritebegin ext4createinlinedata ext4clearinodeflag(inode, EXT4INODEEXTENTS); ext4setinodeflag(inode, EXT4INODEINLINEDATA); _ext4ioctl ext4extmigrate -> will lead to eh->ehentries not zero, and set extent flag ext4dawritebegin ext4daconvertinlinedatatoextent ext4dawriteinlinedatabegin ext4damapblocks ext4insertdelayedblock if (!ext4esscanclu(inode, &ext4esisdelonly, lblk)) if (!ext4esscanclu(inode, &ext4esismapped, lblk)) ext4clumapped(inode, EXT4B2C(sbi, lblk)); -> will return 1 allocated = true; ext4esinsertdelayedblock(inode, lblk, allocated); ext4writepages mpagemapandsubmitextent(handle, &mpd, &giveuponwrite); -> return -ENOSPC mpagereleaseunusedpages(&mpd, giveuponwrite); -> giveuponwrite == 1 ext4esremoveextent ext4dareleasespace(inode, reserved); if (unlikely(tofree > ei->ireserveddatablocks)) -> tofree == 1 but ei->ireserveddatablocks == 0 -> then trigger warning as above

To solve above issue, forbid inode do migrate which has inline data.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/9c3874e559580d6c6ec8d449812ac11277724770/cves/2022/49xxx/CVE-2022-49880.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
0de5ee103747fd3a24f1c010c79caabe35e8f0bb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
c3bf1e95cfa7d950dc3c064d0c2e3d06b427bc63
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
890d738f569fa9412b70ba09f15407f17a52da20
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
72743d5598b9096950bbfd6a9b7f173d156eea97
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
5370b965b7a945bb8f48b9ee23d83a76a947902e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
0a43c015e98121c91a76154edf42280ce1a8a883
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
89bee03d2fb8c54119b38ac6c24e7d60fae036b6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
1b8f787ef547230a3249bcf897221ef0cc78481b

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.9.333
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.299
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.265
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.224
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.154
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.78
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.8