cvelistv5 - cve-2023-54224

CVE-2023-54224 (GCVE-0-2023-54224)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11

Title

btrfs: fix lockdep splat and potential deadlock after failure running delayed items

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix lockdep splat and potential deadlock after failure running delayed items When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted ------------------------------------------------------ syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 -> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/50abe4b37f58a2521…
	https://git.kernel.org/stable/c/126d5a99e583e2d38…
	https://git.kernel.org/stable/c/a70c6e57316b677c8…
	https://git.kernel.org/stable/c/3d379dd109f80c8f3…
	https://git.kernel.org/stable/c/779c3cf2749c7a7ba…
	https://git.kernel.org/stable/c/32247b9526bfdaeef…
	https://git.kernel.org/stable/c/36d918da3f1bf7491…
	https://git.kernel.org/stable/c/e110f8911ddb93e6f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 50abe4b37f58a25214b732212926d35e6fabd6c3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 126d5a99e583e2d387ee4ea7b796c8fec4483244 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a70c6e57316b677c83e0e53569c555057b5813c4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3d379dd109f80c8f3b9aaa2d15681b37803aa4c0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 779c3cf2749c7a7bad6f839cb2954a25ba92f4d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 32247b9526bfdaeef85f7339d9b4f913c7370f92 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 36d918da3f1bf749178c7daf471a3be1730ed3ca (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e110f8911ddb93e6f55da14ccbbe705397b30d0b (git)

Linux

Unaffected: 4.14.326 , ≤ 4.14.* (semver)
Unaffected: 4.19.295 , ≤ 4.19.* (semver)
Unaffected: 5.4.257 , ≤ 5.4.* (semver)
Unaffected: 5.10.197 , ≤ 5.10.* (semver)
Unaffected: 5.15.133 , ≤ 5.15.* (semver)
Unaffected: 6.1.55 , ≤ 6.1.* (semver)
Unaffected: 6.5.5 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delayed-inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "50abe4b37f58a25214b732212926d35e6fabd6c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "126d5a99e583e2d387ee4ea7b796c8fec4483244",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a70c6e57316b677c83e0e53569c555057b5813c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3d379dd109f80c8f3b9aaa2d15681b37803aa4c0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "779c3cf2749c7a7bad6f839cb2954a25ba92f4d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "32247b9526bfdaeef85f7339d9b4f913c7370f92",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "36d918da3f1bf749178c7daf471a3be1730ed3ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e110f8911ddb93e6f55da14ccbbe705397b30d0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/delayed-inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.326",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.326",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.295",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.257",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.197",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.133",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.55",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n  ------------------------------------------------------\n  syz-executor.2/13257 is trying to acquire lock:\n  ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n  but task is already holding lock:\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n         kthread+0x2b8/0x350 kernel/kthread.c:389\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n  -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n         vfs_fsync_range fs/sync.c:188 [inline]\n         vfs_fsync fs/sync.c:202 [inline]\n         do_fsync fs/sync.c:212 [inline]\n         __do_sys_fsync fs/sync.c:220 [inline]\n         __se_sys_fsync fs/sync.c:218 [inline]\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info that\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:11:18.076Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244"
        },
        {
          "url": "https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"
        },
        {
          "url": "https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"
        }
      ],
      "title": "btrfs: fix lockdep splat and potential deadlock after failure running delayed items",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54224",
    "datePublished": "2025-12-30T12:11:18.076Z",
    "dateReserved": "2025-12-30T12:06:44.501Z",
    "dateUpdated": "2025-12-30T12:11:18.076Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54224\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:10.743\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\\n\\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\\nwe will attempt to modify a subvolume btree to insert/update/delete the\\ndelayed items. However if have an error during the insertions for example,\\nbtrfs_insert_delayed_items() may return with a path that has locked extent\\nbuffers (a leaf at the very least), and then we attempt to release the\\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\\nby syzbot and the lockdep splat is the following:\\n\\n  WARNING: possible circular locking dependency detected\\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\\n  ------------------------------------------------------\\n  syz-executor.2/13257 is trying to acquire lock:\\n  ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\\n\\n  but task is already holding lock:\\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\\n\\n  which lock already depends on the new lock.\\n\\n  the existing dependency chain (in reverse order) is:\\n\\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\\n         kthread+0x2b8/0x350 kernel/kthread.c:389\\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\n  -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\\n         vfs_fsync_range fs/sync.c:188 [inline]\\n         vfs_fsync fs/sync.c:202 [inline]\\n         do_fsync fs/sync.c:212 [inline]\\n         __do_sys_fsync fs/sync.c:220 [inline]\\n         __se_sys_fsync fs/sync.c:218 [inline]\\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\n  other info that\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

FKIE_CVE-2023-54224

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2025-12-31 20:42

Severity ?

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n  ------------------------------------------------------\n  syz-executor.2/13257 is trying to acquire lock:\n  ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n  but task is already holding lock:\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n         kthread+0x2b8/0x350 kernel/kthread.c:389\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n  -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n         vfs_fsync_range fs/sync.c:188 [inline]\n         vfs_fsync fs/sync.c:202 [inline]\n         do_fsync fs/sync.c:212 [inline]\n         __do_sys_fsync fs/sync.c:220 [inline]\n         __se_sys_fsync fs/sync.c:218 [inline]\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info that\n---truncated---"
    }
  ],
  "id": "CVE-2023-54224",
  "lastModified": "2025-12-31T20:42:43.210",
  "metrics": {},
  "published": "2025-12-30T13:16:10.743",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

GHSA-5MG6-8PGX-PXR7

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix lockdep splat and potential deadlock after failure running delayed items

When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following:

WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted

syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256

but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

-> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-54224"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n  ------------------------------------------------------\n  syz-executor.2/13257 is trying to acquire lock:\n  ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n  but task is already holding lock:\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n         kthread+0x2b8/0x350 kernel/kthread.c:389\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n  -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n         vfs_fsync_range fs/sync.c:188 [inline]\n         vfs_fsync fs/sync.c:202 [inline]\n         do_fsync fs/sync.c:212 [inline]\n         __do_sys_fsync fs/sync.c:220 [inline]\n         __se_sys_fsync fs/sync.c:218 [inline]\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info that\n---truncated---",
  "id": "GHSA-5mg6-8pgx-pxr7",
  "modified": "2025-12-30T15:30:32Z",
  "published": "2025-12-30T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54224"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/126d5a99e583e2d387ee4ea7b796c8fec4483244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d379dd109f80c8f3b9aaa2d15681b37803aa4c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50abe4b37f58a25214b732212926d35e6fabd6c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a70c6e57316b677c83e0e53569c555057b5813c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-54224 (GCVE-0-2023-54224)

FKIE_CVE-2023-54224

GHSA-5MG6-8PGX-PXR7

Tags

Sightings

Nomenclature