CVE-2022-50571
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
Now that lockdep is staying enabled through our entire CI runs I started seeing the following stack in generic/475
------------[ cut here ]------------ WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0 CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 Workqueue: btrfs-cache btrfs_work_helper RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0 RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8c85c605c200 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff86807c5b RDI: ffffffff868a831e RBP: ffff8c85c4c54000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8c85c66932f0 R11: 0000000000000001 R12: ffff8c85c3899010 R13: ffff8c85d5be4f40 R14: ffff8c85c4c54000 R15: ffff8c86114bfa80 FS: 0000000000000000(0000) GS:ffff8c863bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2e7f168160 CR3: 000000010289a004 CR4: 0000000000370ee0 Call Trace:
__btrfs_remove_free_space_cache+0x27/0x30 load_free_space_cache+0xad2/0xaf0 caching_thread+0x40b/0x650 ? lock_release+0x137/0x2d0 btrfs_work_helper+0xf2/0x3e0 ? lock_is_held_type+0xe2/0x140 process_one_work+0x271/0x590 ? process_one_work+0x590/0x590 worker_thread+0x52/0x3b0 ? process_one_work+0x590/0x590 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30
This is the code
ctl = block_group->free_space_ctl; discard_ctl = &block_group->fs_info->discard_ctl;
lockdep_assert_held(&ctl->tree_lock);
We have a temporary free space ctl for loading the free space cache in order to avoid having allocations happening while we're loading the cache. When we hit an error we free it all up, however this also calls btrfs_discard_update_discardable, which requires block_group->free_space_ctl->tree_lock to be held. However this is our temporary ctl so this lock isn't held. Fix this by calling __btrfs_remove_free_space_cache_locked instead so that we only clean up the entries and do not mess with the discardable stats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's btrfs filesystem, triggered when free space cache loading fails while discard operations are concurrently updating.
Root
Cause
The vulnerability is a use-after-free in the Linux kernel's btrfs filesystem, specifically in the free space cache loading code. When load_free_space_cache encounters an error, it calls __btrfs_remove_free_space_cache_locked to clean up a temporary free space cache control structure (ctl). However, this cleanup function also calls btrfs_discard_update_discardable, which accesses fields in block_group that may have already been freed or are in an invalid state due to the error path. The lockdep warning in the stack trace indicates that the function expects ctl->tree_lock to be held, but the temporary cache's lock is not the same as the permanent block_group->free_space_ctl lock, leading to a race condition and potential use-after-free [1].
Exploitation
Exploitation requires triggering a failure during the free space cache loading process, which can occur under specific conditions (e.g., disk errors or maliciously crafted metadata). The attacker does not need local access to the system; the vulnerability can be triggered remotely if the btrfs filesystem is mounted and an error occurs during cache loading. The attack vector is a race condition between the cache loading cleanup and a concurrent discard operation, which is possible in a multi-threaded kernel environment [1].
Impact
An attacker successfully exploiting this vulnerability could cause a kernel crash (denial of service) or, in more severe cases, potentially achieve arbitrary code execution due to the use-after-free condition. The vulnerability affects the btrfs filesystem, which is commonly used in Linux systems for both desktop and enterprise environments. The CVSS score indicates high severity, and the attack complexity is low once the triggering condition is met [1].
Mitigation
The fix was introduced in kernel commit 8a1ae2781dee9fc21ca82db682d37bea4bd074ad, which calls __btrfs_remove_free_space_cache_locked on cache load failure. The patch ensures that the discard update is not called on the temporary cache, preventing the use-after-free. Users should update their Linux kernel to a version containing this fix. As of the publication date, the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2819a613012758a1ae2781deeVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.