CVE-2023-54281 (GCVE-0-2023-54281)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
Title
btrfs: release path before inode lookup during the ino lookup ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted ------------------------------------------------------ syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 7390bb377b5fb3be23cb021e0f184d1f576be7d6 (git)
Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 380bbd46d61c894a8dcaace09e54bc7426d81014 (git)
Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 50e385d98b2a52480836ea41c142b81eeeb277af (git)
Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 6fdce81e425be112f1ca129776f4041afeaad413 (git)
Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < ee34a82e890a7babb5585daf1a6dd7d4d1cf142a (git)
Create a notification for this product.
    Linux Linux Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.10.197 , ≤ 5.10.* (semver)
Unaffected: 5.15.133 , ≤ 5.15.* (semver)
Unaffected: 6.1.55 , ≤ 6.1.* (semver)
Unaffected: 6.5.5 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7390bb377b5fb3be23cb021e0f184d1f576be7d6",
              "status": "affected",
              "version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
              "versionType": "git"
            },
            {
              "lessThan": "380bbd46d61c894a8dcaace09e54bc7426d81014",
              "status": "affected",
              "version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
              "versionType": "git"
            },
            {
              "lessThan": "50e385d98b2a52480836ea41c142b81eeeb277af",
              "status": "affected",
              "version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
              "versionType": "git"
            },
            {
              "lessThan": "6fdce81e425be112f1ca129776f4041afeaad413",
              "status": "affected",
              "version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
              "versionType": "git"
            },
            {
              "lessThan": "ee34a82e890a7babb5585daf1a6dd7d4d1cf142a",
              "status": "affected",
              "version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.197",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.133",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.55",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.5",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root\u0027s btree. If btrfs_iget()\nneeds to lookup the inode from the root\u0027s btree, because it\u0027s not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n  ------------------------------------------------------\n  syz-executor277/5012 is trying to acquire lock:\n  ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n  but task is already holding lock:\n  ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n         down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n         __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n         btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n         btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n         btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n         btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n         btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n         open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n         btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n         btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n         legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n         vfs_get_tree+0x8c/0x270 fs/super.c:1519\n         fc_mount fs/namespace.c:1112 [inline]\n         vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n         btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n         legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n         vfs_get_tree+0x8c/0x270 fs/super.c:1519\n         do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n         do_mount fs/namespace.c:3675 [inline]\n         __do_sys_mount fs/namespace.c:3884 [inline]\n         __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  -\u003e #0 (btrfs-tree-01){++++}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n         __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n         btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n         btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n         btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n         btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n         btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n         btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n         btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n         btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n         btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n         btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n         vfs_ioctl fs/ioctl.c:51 [inline]\n         __do_sys_ioctl fs/ioctl.c:870 [inline]\n         __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:23.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014"
        },
        {
          "url": "https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a"
        }
      ],
      "title": "btrfs: release path before inode lookup during the ino lookup ioctl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54281",
    "datePublished": "2025-12-30T12:23:23.122Z",
    "dateReserved": "2025-12-30T12:06:44.525Z",
    "dateUpdated": "2025-12-30T12:23:23.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.