CVE-2022-50126

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-50126

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50126.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-50126

Downstream

DEBIAN-CVE-2022-50126

RHSA-2023:2458

RHSA-2024:3138

SUSE-SU-2025:02264-1

SUSE-SU-2025:02308-1

SUSE-SU-2025:02320-1

SUSE-SU-2025:02321-1

SUSE-SU-2025:02322-1

SUSE-SU-2025:02334-1

SUSE-SU-2025:02537-1

UBUNTU-CVE-2022-50126

Related

Published

2025-06-18T11:02:53.672Z

Modified

2026-03-12T03:26:11.372708Z

Summary

jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted

Details

In the Linux kernel, the following vulnerability has been resolved:

jbd2: fix assertion 'jh->bfrozendata == NULL' failure when journal aborted

Following process will fail assertion 'jh->bfrozendata == NULL' in jbd2journaldirty_metadata():

               jbd2_journal_commit_transaction

unlink(dir/a) jh->btransaction = trans1 jh->bjlist = BJMetadata journal->jrunningtransaction = NULL trans1->tstate = TCOMMIT unlink(dir/b) handle->htrans = trans2 dogetwriteaccess jh->bmodified = 0 jh->bfrozendata = frozenbuffer jh->bnexttransaction = trans2 jbd2journaldirtymetadata ishandleaborted isjournalaborted // return false

       --> jbd2 abort <--

                 while (commit_transaction->t_buffers)
                  if (is_journal_aborted)
                   jbd2_journal_refile_buffer
                    __jbd2_journal_refile_buffer
                     WRITE_ONCE(jh->b_transaction,
                    jh->b_next_transaction)
                     WRITE_ONCE(jh->b_next_transaction, NULL)
                     __jbd2_journal_file_buffer(jh, BJ_Reserved)
    J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure !

The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2journaldirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: <TASK> __ext4handledirtymetadata+0xa0/0x290 ext4handledirtydirblock+0x10c/0x1d0 ext4deleteentry+0x104/0x200 __ext4unlink+0x22b/0x360 ext4unlink+0x275/0x390 vfsunlink+0x20b/0x4c0 dounlinkat+0x42f/0x4c0 __x64sysunlink+0x37/0x50 dosyscall64+0x35/0x80

After journal aborting, _jbd2journalrefilebuffer() is executed with holding @jh->bstatelock, we can fix it by moving 'ishandleaborted()' into the area protected by @jh->bstatelock.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50126.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

470decc613ab2048b619a01028072d932d9086ee

Fixed

0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3

Fixed

6073389db83b903678a0920554fa19f5bdc51c48

Fixed

fa5b65d39332fef7a11ae99cb1f0696012a61527

Fixed

f7161d0da975adc234161cd0641d0e484f5ce375

Fixed

e62f79827784f56499a50ea2e893c98317b5407b

Fixed

731c1662d838fe954c6759e3ee43229b0d928fe4

Fixed

ddd896792e1718cb84c96f3e618270589b6886dc

Fixed

4a734f0869f970b8a9b65062ea40b09a5da9dba8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50126.json"