CVE-2022-50090

In the Linux kernel, the following vulnerability has been resolved:

btrfs: replace BTRFSMAXEXTENTSIZE with fsinfo->maxextentsize

On zoned filesystem, data write out is limited by maxzoneappendsize, and a large ordered extent is split according the size of a bio. OTOH, the number of extents to be written is calculated using BTRFSMAXEXTENTSIZE, and that estimated number is used to reserve the metadata bytes to update and/or create the metadata items.

The metadata reservation is done at e.g, btrfsbufferedwrite() and then released according to the estimation changes. Thus, if the number of extent increases massively, the reserved metadata can run out.

The increase of the number of extents easily occurs on zoned filesystem if BTRFSMAXEXTENTSIZE > maxzoneappendsize. And, it causes the following warning on a small RAM environment with disabling metadata over-commit (in the following patch).

[75721.498492] ------------[ cut here ]------------ [75721.505624] BTRFS: block rsv 1 returned -28 [75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfsuseblockrsv+0x560/0x760 [btrfs] [75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109 [75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 [75721.607310] Workqueue: btrfs-endio-write btrfsworkhelper [btrfs] [75721.616209] RIP: 0010:btrfsuseblockrsv+0x560/0x760 [btrfs] [75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286 [75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000 [75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e [75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7 [75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28 [75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a [75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000 [75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0 [75721.730499] Call Trace: [75721.735166] <TASK> [75721.739886] btrfsalloctreeblock+0x1e1/0x1100 [btrfs] [75721.747545] ? btrfsallocloggedfileextent+0x550/0x550 [btrfs] [75721.756145] ? btrfsget32+0xea/0x2d0 [btrfs] [75721.762852] ? btrfsget32+0xea/0x2d0 [btrfs] [75721.769520] ? pushleafleft+0x420/0x620 [btrfs] [75721.776431] ? memcpy+0x4e/0x60 [75721.781931] splitleaf+0x433/0x12d0 [btrfs] [75721.788392] ? btrfsgettoken32+0x580/0x580 [btrfs] [75721.795636] ? pushfordoublesplit.isra.0+0x420/0x420 [btrfs] [75721.803759] ? leafspaceused+0x15d/0x1a0 [btrfs] [75721.811156] btrfssearchslot+0x1bc3/0x2790 [btrfs] [75721.818300] ? lockdowngrade+0x7c0/0x7c0 [75721.824411] ? freeextentbuffer.part.0+0x107/0x200 [btrfs] [75721.832456] ? splitleaf+0x12d0/0x12d0 [btrfs] [75721.839149] ? freeextentbuffer.part.0+0x14f/0x200 [btrfs] [75721.846945] ? freeextentbuffer+0x13/0x20 [btrfs] [75721.853960] ? btrfsreleasepath+0x4b/0x190 [btrfs] [75721.861429] btrfscsumfileblocks+0x85c/0x1500 [btrfs] [75721.869313] ? rcureadlockschedheld+0x16/0x80 [75721.876085] ? lockrelease+0x552/0xf80 [75721.881957] ? btrfsdelcsums+0x8c0/0x8c0 [btrfs] [75721.888886] ? _kasancheckwrite+0x14/0x20 [75721.895152] ? dorawreadunlock+0x44/0x80 [75721.901323] ? rawwritelockirq+0x60/0x80 [75721.907983] ? btrfsglobalroot+0xb9/0xe0 [btrfs] [75721.915166] ? btrfscsumroot+0x12b/0x180 [btrfs] [75721.921918] ? btrfsgetglobalroot+0x820/0x820 [btrfs] [75721.929166] ? _rawwriteunlock+0x23/0x40 [75721.935116] ? unpinextentcache+0x1e3/0x390 [btrfs] [75721.942041] btrfsfinishorderedio.isra.0+0xa0c/0x1dc0 [btrfs] [75721.949906] ? trytowakeup+0x30/0x14a0 [75721.955700] ? btrfsunlink_subvol+0xda0/0xda0 [btrfs] [75721.962661] ? rcu ---truncated---