CVE-2022-49850: 
Linux Kernel vulnerability analysis and mitigation

A semaphore deadlock vulnerability was discovered in the Linux kernel's NILFS2 filesystem implementation, specifically in the nilfs_count_free_blocks() function. The vulnerability was assigned CVE-2022-49850 and disclosed on May 1, 2025. The issue affects Linux kernel versions from 4.15 up to (excluding) 4.19.267, from 4.20 up to (excluding) 5.4.225, and various 6.1 release candidates (NVD).

The deadlock occurs when nilfs_get_block() detects metadata corruption while locating data blocks and a superblock writeback occurs simultaneously. The issue involves a hierarchical lock acquisition where nilfs_get_block() readlocks rwsem A (NILFS_MDT(dat_inode)->mi_sem) and calls nilfs_bmap_lookup_contig(). If this fails due to metadata corruption, __nilfs_error() is called from nilfs_bmap_convert_error() inside the lock section. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Wiz).

When another task starts updating the superblock, it may writelock rwsem B during the lock sequence, and can deadlock trying to readlock rwsem A in nilfs_count_free_blocks(). This creates a potential system hang condition that affects the stability and availability of systems using the NILFS2 filesystem (Wiz).

The vulnerability has been fixed by removing the unnecessary semaphore in nilfs_count_free_blocks(). This was possible because within the lock section, it only reads a single integer data on a shared struct with nilfs_sufile_get_ncleansegs(). This behavior has been in place since commit aa474a220180 ('nilfs2: add local variable to cache the number of clean segments'), which predates the introduction of this bug (NVD).