{"id":"CVE-2022-49834","summary":"nilfs2: fix use-after-free bug of ns_writer on remount","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of ns_writer on remount\n\nIf a nilfs2 filesystem is downgraded to read-only due to metadata\ncorruption on disk and is remounted read/write, or if emergency read-only\nremount is performed, detaching a log writer and synchronizing the\nfilesystem can be done at the same time.\n\nIn these cases, use-after-free of the log writer (hereinafter\nnilfs-\u003ens_writer) can happen as shown in the scenario below:\n\n Task1                               Task2\n --------------------------------    ------------------------------\n nilfs_construct_segment\n   nilfs_segctor_sync\n     init_wait\n     init_waitqueue_entry\n     add_wait_queue\n     schedule\n                                     nilfs_remount (R/W remount case)\n\t\t\t\t       nilfs_attach_log_writer\n                                         nilfs_detach_log_writer\n                                           nilfs_segctor_destroy\n                                             kfree\n     finish_wait\n       _raw_spin_lock_irqsave\n         __raw_spin_lock_irqsave\n           do_raw_spin_lock\n             debug_spin_lock_before  \u003c-- use-after-free\n\nWhile Task1 is sleeping, nilfs-\u003ens_writer is freed by Task2.  After Task1\nwaked up, Task1 accesses nilfs-\u003ens_writer which is already freed.  This\nscenario diagram is based on the Shigeru Yoshida's post [1].\n\nThis patch fixes the issue by not detaching nilfs-\u003ens_writer on remount so\nthat this UAF race doesn't happen.  Along with this change, this patch\nalso inserts a few necessary read-only checks with superblock instance\nwhere only the ns_writer pointer was used to check if the filesystem is\nread-only.","modified":"2026-04-03T13:14:39.171031Z","published":"2025-05-01T14:09:52.076Z","related":["SUSE-SU-2025:01918-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49834.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49834.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49834"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fe5f171bb272946ce5fbf843ce2f8467d0d41b9a"},{"fixed":"b2fbf10040216ef5ee270773755fc2f5da65b749"},{"fixed":"39a3ed68270b079c6b874d4e4727a512b9b4882c"},{"fixed":"b4736ab5542112fe0a40f140a0a0b072954f34da"},{"fixed":"9b162e81045266a2d5b44df9dffdf05c54de9cca"},{"fixed":"4feedde5486c07ea79787839153a71ca71329c7d"},{"fixed":"afbd1188382a75f6cfe22c0b68533f7f9664f182"},{"fixed":"b152300d5a1ba4258dacf9916bff20e6a8c7603b"},{"fixed":"8cccf05fe857a18ee26e20d11a8455a73ffd4efd"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49834.json"}}],"schema_version":"1.7.5"}