LiveActive security incident?Get immediate response
CVE Record

CVE-2022-49033: btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()

In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit() Syzkaller reported BUG as follows: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80 Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in btrfs_run_qgroups() later outside of the spinlock context.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel Btrfs bug in quota-group handling during subvolume or snapshot creation. The source shows a kernel invalid-context sleep report found by Syzkaller. Business risk is mainly system reliability for Linux hosts using Btrfs quota groups; public severity, CVSS, and real-world impact are not provided.

Executive priority

Treat as a targeted Linux kernel maintenance item, not an emergency, unless critical services rely heavily on Btrfs qgroups. The absence of CVSS, KEV listing, and exploitation evidence keeps urgency uncertain, but kernel reliability bugs still deserve timely patch review.

Technical view

The bug is in btrfs_qgroup_inherit(), where updating a qgroup limit item could allocate or sleep while under spinlock context. The fix marks the destination qgroup dirty and defers limit item update to btrfs_run_qgroups(), outside the spinlock. The trace reaches the issue through Btrfs snapshot/subvolume ioctl handling.

Likely exposure

Exposure appears limited to affected Linux kernels using Btrfs paths involving qgroup inheritance during subvolume or snapshot creation. The bundle lists Linux kernel versions and stable commits, but no distribution packages, CPEs, cloud images, or appliance products.

Exploitation context

The source attributes discovery to Syzkaller and does not cite active exploitation. KEV is false. The bundle does not describe a public exploit, required privileges, remote reachability, or confirmed security impact beyond the invalid-context sleep bug report.

Researcher notes

Do not infer remote exploitability or privilege escalation from the bundle. The only supported root cause is sleeping allocation/update behavior inside invalid spinlock context. Impact assessment needs kernel configuration, Btrfs qgroup usage, and vendor package mapping.

Mitigation direction

  • Check vendor kernel advisories for patched builds containing the referenced stable commits.
  • Prioritize systems using Btrfs quota groups and subvolume or snapshot workflows.
  • Update affected kernels through normal distribution or vendor channels.
  • If patching is delayed, review whether Btrfs qgroup-dependent workflows can be reduced.

Validation and detection

  • Inventory Linux hosts running Btrfs filesystems with quota groups enabled.
  • Map running kernel versions to vendor advisories or the referenced stable commits.
  • Review kernel logs for related Btrfs qgroup or invalid-context sleep reports.
  • Confirm patched kernels after maintenance and reboot where required.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-49033 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8f, e8c8541ac379709db8d2339e1cb720469fc2cd8funaffected
LinuxLinux4.1, 0, 4.9.335, 4.14.301, 4.19.268, 5.4.226, 5.10.158, 5.15.82, 6.0.12, 6.1affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.