ghsa-5mg6-8pgx-pxr7
Vulnerability from github
Published
2025-12-30 15:30
Modified
2025-12-30 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix lockdep splat and potential deadlock after failure running delayed items

When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following:

WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted

syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256

but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

-> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54224"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n  ------------------------------------------------------\n  syz-executor.2/13257 is trying to acquire lock:\n  ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n  but task is already holding lock:\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n         kthread+0x2b8/0x350 kernel/kthread.c:389\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n  -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n         vfs_fsync_range fs/sync.c:188 [inline]\n         vfs_fsync fs/sync.c:202 [inline]\n         do_fsync fs/sync.c:212 [inline]\n         __do_sys_fsync fs/sync.c:220 [inline]\n         __se_sys_fsync fs/sync.c:218 [inline]\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info that\n---truncated---",
  "id": "GHSA-5mg6-8pgx-pxr7",
  "modified": "2025-12-30T15:30:32Z",
  "published": "2025-12-30T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54224"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.