CVE-2022-49167 (GCVE-0-2022-49167)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:55 – Updated: 2026-05-11 18:54
VLAI
Title
btrfs: do not double complete bio on errors during compressed reads
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not double complete bio on errors during compressed reads I hit some weird panics while fixing up the error handling from btrfs_lookup_bio_sums(). Turns out the compression path will complete the bio we use if we set up any of the compression bios and then return an error, and then btrfs_submit_data_bio() will also call bio_endio() on the bio. Fix this by making btrfs_submit_compressed_read() responsible for calling bio_endio() on the bio if there are any errors. Currently it was only doing it if we created the compression bios, otherwise it was depending on btrfs_submit_data_bio() to do the right thing. This creates the above problem, so fix up btrfs_submit_compressed_read() to always call bio_endio() in case of an error, and then simply return from btrfs_submit_data_bio() if we had to call btrfs_submit_compressed_read().
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 86ccbb4d2a2af4109430df518c995a4f7d14dfd2 , < 4a4ceb2b990771c374d85d496a1a45255dde48e3 (git)
Affected: 86ccbb4d2a2af4109430df518c995a4f7d14dfd2 , < 987b5df1d10355d377315a26e7fb6c72ded83c9f (git)
Affected: 86ccbb4d2a2af4109430df518c995a4f7d14dfd2 , < f9f15de85d74e7eef021af059ca53a15f041cdd8 (git)
Create a notification for this product.
Linux Linux Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 5.16.19 , ≤ 5.16.* (semver)
Unaffected: 5.17.2 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/compression.c",
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4a4ceb2b990771c374d85d496a1a45255dde48e3",
              "status": "affected",
              "version": "86ccbb4d2a2af4109430df518c995a4f7d14dfd2",
              "versionType": "git"
            },
            {
              "lessThan": "987b5df1d10355d377315a26e7fb6c72ded83c9f",
              "status": "affected",
              "version": "86ccbb4d2a2af4109430df518c995a4f7d14dfd2",
              "versionType": "git"
            },
            {
              "lessThan": "f9f15de85d74e7eef021af059ca53a15f041cdd8",
              "status": "affected",
              "version": "86ccbb4d2a2af4109430df518c995a4f7d14dfd2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/compression.c",
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not double complete bio on errors during compressed reads\n\nI hit some weird panics while fixing up the error handling from\nbtrfs_lookup_bio_sums().  Turns out the compression path will complete\nthe bio we use if we set up any of the compression bios and then return\nan error, and then btrfs_submit_data_bio() will also call bio_endio() on\nthe bio.\n\nFix this by making btrfs_submit_compressed_read() responsible for\ncalling bio_endio() on the bio if there are any errors.  Currently it\nwas only doing it if we created the compression bios, otherwise it was\ndepending on btrfs_submit_data_bio() to do the right thing.  This\ncreates the above problem, so fix up btrfs_submit_compressed_read() to\nalways call bio_endio() in case of an error, and then simply return from\nbtrfs_submit_data_bio() if we had to call\nbtrfs_submit_compressed_read()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T18:54:25.963Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4a4ceb2b990771c374d85d496a1a45255dde48e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/987b5df1d10355d377315a26e7fb6c72ded83c9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9f15de85d74e7eef021af059ca53a15f041cdd8"
        }
      ],
      "title": "btrfs: do not double complete bio on errors during compressed reads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49167",
    "datePublished": "2025-02-26T01:55:26.030Z",
    "dateReserved": "2025-02-26T01:49:39.278Z",
    "dateUpdated": "2026-05-11T18:54:25.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-49167",
      "date": "2026-07-02",
      "epss": "0.00243",
      "percentile": "0.15315"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49167\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:00:53.837\",\"lastModified\":\"2026-06-17T05:17:15.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: do not double complete bio on errors during compressed reads\\n\\nI hit some weird panics while fixing up the error handling from\\nbtrfs_lookup_bio_sums().  Turns out the compression path will complete\\nthe bio we use if we set up any of the compression bios and then return\\nan error, and then btrfs_submit_data_bio() will also call bio_endio() on\\nthe bio.\\n\\nFix this by making btrfs_submit_compressed_read() responsible for\\ncalling bio_endio() on the bio if there are any errors.  Currently it\\nwas only doing it if we created the compression bios, otherwise it was\\ndepending on btrfs_submit_data_bio() to do the right thing.  This\\ncreates the above problem, so fix up btrfs_submit_compressed_read() to\\nalways call bio_endio() in case of an error, and then simply return from\\nbtrfs_submit_data_bio() if we had to call\\nbtrfs_submit_compressed_read().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: no completar dos veces la biograf\u00eda en caso de errores durante lecturas comprimidas Me encontr\u00e9 con algunos p\u00e1nicos extra\u00f1os mientras arreglaba la gesti\u00f3n de errores de btrfs_lookup_bio_sums(). Resulta que la ruta de compresi\u00f3n completar\u00e1 la biograf\u00eda que usamos si configuramos alguna de las biograf\u00edas de compresi\u00f3n y luego devolvemos un error, y luego btrfs_submit_data_bio() tambi\u00e9n llamar\u00e1 a bio_endio() en la biograf\u00eda. Arregle esto haciendo que btrfs_submit_compressed_read() sea responsable de llamar a bio_endio() en la biograf\u00eda si hay alg\u00fan error. Actualmente solo lo hac\u00eda si cre\u00e1bamos la biograf\u00eda de compresi\u00f3n, de lo contrario depend\u00eda de btrfs_submit_data_bio() para hacer lo correcto. Esto crea el problema mencionado anteriormente, as\u00ed que corrija btrfs_submit_compressed_read() para que siempre llame a bio_endio() en caso de error, y luego simplemente regrese de btrfs_submit_data_bio() si tuvi\u00e9ramos que llamar a btrfs_submit_compressed_read().\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"fs/btrfs/compression.c\",\"fs/btrfs/inode.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"86ccbb4d2a2af4109430df518c995a4f7d14dfd2\",\"lessThan\":\"4a4ceb2b990771c374d85d496a1a45255dde48e3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"86ccbb4d2a2af4109430df518c995a4f7d14dfd2\",\"lessThan\":\"987b5df1d10355d377315a26e7fb6c72ded83c9f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"86ccbb4d2a2af4109430df518c995a4f7d14dfd2\",\"lessThan\":\"f9f15de85d74e7eef021af059ca53a15f041cdd8\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"fs/btrfs/compression.c\",\"fs/btrfs/inode.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.16\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.16\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.16.19\",\"lessThanOrEqual\":\"5.16.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.17.2\",\"lessThanOrEqual\":\"5.17.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.18\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.19\",\"matchCriteriaId\":\"20C43679-0439-405A-B97F-685BEE50613B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"5.17.2\",\"matchCriteriaId\":\"210C679C-CF84-44A3-8939-E629C87E54BF\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4a4ceb2b990771c374d85d496a1a45255dde48e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/987b5df1d10355d377315a26e7fb6c72ded83c9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f9f15de85d74e7eef021af059ca53a15f041cdd8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…