CVE-2022-49033: btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
Syzkaller reported BUG as follows:
BUG: sleeping function called from invalid context at
include/linux/sched/mm.h:274
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
__might_resched.cold+0x222/0x26b
kmem_cache_alloc+0x2e7/0x3c0
update_qgroup_limit_item+0xe1/0x390
btrfs_qgroup_inherit+0x147b/0x1ee0
create_subvol+0x4eb/0x1710
btrfs_mksubvol+0xfe5/0x13f0
__btrfs_ioctl_snap_create+0x2b0/0x430
btrfs_ioctl_snap_create_v2+0x25a/0x520
btrfs_ioctl+0x2a1c/0x5ce0
__x64_sys_ioctl+0x193/0x200
do_syscall_64+0x35/0x80
Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
btrfs_run_qgroups() later outside of the spinlock context.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel Btrfs bug in quota-group handling during subvolume or snapshot creation. The source shows a kernel invalid-context sleep report found by Syzkaller. Business risk is mainly system reliability for Linux hosts using Btrfs quota groups; public severity, CVSS, and real-world impact are not provided.
Executive priority
Treat as a targeted Linux kernel maintenance item, not an emergency, unless critical services rely heavily on Btrfs qgroups. The absence of CVSS, KEV listing, and exploitation evidence keeps urgency uncertain, but kernel reliability bugs still deserve timely patch review.
Technical view
The bug is in btrfs_qgroup_inherit(), where updating a qgroup limit item could allocate or sleep while under spinlock context. The fix marks the destination qgroup dirty and defers limit item update to btrfs_run_qgroups(), outside the spinlock. The trace reaches the issue through Btrfs snapshot/subvolume ioctl handling.
Likely exposure
Exposure appears limited to affected Linux kernels using Btrfs paths involving qgroup inheritance during subvolume or snapshot creation. The bundle lists Linux kernel versions and stable commits, but no distribution packages, CPEs, cloud images, or appliance products.
Exploitation context
The source attributes discovery to Syzkaller and does not cite active exploitation. KEV is false. The bundle does not describe a public exploit, required privileges, remote reachability, or confirmed security impact beyond the invalid-context sleep bug report.
Researcher notes
Do not infer remote exploitability or privilege escalation from the bundle. The only supported root cause is sleeping allocation/update behavior inside invalid spinlock context. Impact assessment needs kernel configuration, Btrfs qgroup usage, and vendor package mapping.
Mitigation direction
Check vendor kernel advisories for patched builds containing the referenced stable commits.
Prioritize systems using Btrfs quota groups and subvolume or snapshot workflows.
Update affected kernels through normal distribution or vendor channels.
If patching is delayed, review whether Btrfs qgroup-dependent workflows can be reduced.
Validation and detection
Inventory Linux hosts running Btrfs filesystems with quota groups enabled.
Map running kernel versions to vendor advisories or the referenced stable commits.
Review kernel logs for related Btrfs qgroup or invalid-context sleep reports.
Confirm patched kernels after maintenance and reboot where required.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-49033 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.