CVE-2026-23018 (GCVE-0-2026-23018)

Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
btrfs: release path before initializing extent tree in btrfs_read_locked_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can trigger reclaim. This can create a circular lock dependency which lockdep warns about with the following splat: [6.1433] ====================================================== [6.1574] WARNING: possible circular locking dependency detected [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] ------------------------------------------------------ [6.1599] kswapd0/117 is trying to acquire lock: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] but task is already holding lock: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 [6.1646] which lock already depends on the new lock. [6.1657] the existing dependency chain (in reverse order) is: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] other info that might help us debug this: [6.1561] Chain exists of: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Possible unsafe locking scenario: [6.1110] CPU0 CPU1 [6.1411] ---- ---- [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8679d2687c351824d08cf1f0e86f3b65f22a00fe , < 92a5590851144f034adc51fee55e6878ccac716e (git)
Affected: 8679d2687c351824d08cf1f0e86f3b65f22a00fe , < 8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 (git)
Affected: e8f496001e0c7832d188ab91fea294e19a128202 (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.18.6 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92a5590851144f034adc51fee55e6878ccac716e",
              "status": "affected",
              "version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe",
              "versionType": "git"
            },
            {
              "lessThan": "8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347",
              "status": "affected",
              "version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e8f496001e0c7832d188ab91fea294e19a128202",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.6",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc5",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n   [6.1433] ======================================================\n   [6.1574] WARNING: possible circular locking dependency detected\n   [6.1583] 6.18.0+ #4 Tainted: G     U\n   [6.1591] ------------------------------------------------------\n   [6.1599] kswapd0/117 is trying to acquire lock:\n   [6.1606] ffff8d9b6333c5b8 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n   [6.1625]\n            but task is already holding lock:\n   [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n   [6.1646]\n            which lock already depends on the new lock.\n\n   [6.1657]\n            the existing dependency chain (in reverse order) is:\n   [6.1667]\n            -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\n   [6.1677]        fs_reclaim_acquire+0x9d/0xd0\n   [6.1685]        __kmalloc_cache_noprof+0x59/0x750\n   [6.1694]        btrfs_init_file_extent_tree+0x90/0x100\n   [6.1702]        btrfs_read_locked_inode+0xc3/0x6b0\n   [6.1710]        btrfs_iget+0xbb/0xf0\n   [6.1716]        btrfs_lookup_dentry+0x3c5/0x8e0\n   [6.1724]        btrfs_lookup+0x12/0x30\n   [6.1731]        lookup_open.isra.0+0x1aa/0x6a0\n   [6.1739]        path_openat+0x5f7/0xc60\n   [6.1746]        do_filp_open+0xd6/0x180\n   [6.1753]        do_sys_openat2+0x8b/0xe0\n   [6.1760]        __x64_sys_openat+0x54/0xa0\n   [6.1768]        do_syscall_64+0x97/0x3e0\n   [6.1776]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [6.1784]\n            -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n   [6.1794]        lock_release+0x127/0x2a0\n   [6.1801]        up_read+0x1b/0x30\n   [6.1808]        btrfs_search_slot+0x8e0/0xff0\n   [6.1817]        btrfs_lookup_inode+0x52/0xd0\n   [6.1825]        __btrfs_update_delayed_inode+0x73/0x520\n   [6.1833]        btrfs_commit_inode_delayed_inode+0x11a/0x120\n   [6.1842]        btrfs_log_inode+0x608/0x1aa0\n   [6.1849]        btrfs_log_inode_parent+0x249/0xf80\n   [6.1857]        btrfs_log_dentry_safe+0x3e/0x60\n   [6.1865]        btrfs_sync_file+0x431/0x690\n   [6.1872]        do_fsync+0x39/0x80\n   [6.1879]        __x64_sys_fsync+0x13/0x20\n   [6.1887]        do_syscall_64+0x97/0x3e0\n   [6.1894]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [6.1903]\n            -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n   [6.1913]        __lock_acquire+0x15e9/0x2820\n   [6.1920]        lock_acquire+0xc9/0x2d0\n   [6.1927]        __mutex_lock+0xcc/0x10a0\n   [6.1934]        __btrfs_release_delayed_node.part.0+0x39/0x2f0\n   [6.1944]        btrfs_evict_inode+0x20b/0x4b0\n   [6.1952]        evict+0x15a/0x2f0\n   [6.1958]        prune_icache_sb+0x91/0xd0\n   [6.1966]        super_cache_scan+0x150/0x1d0\n   [6.1974]        do_shrink_slab+0x155/0x6f0\n   [6.1981]        shrink_slab+0x48e/0x890\n   [6.1988]        shrink_one+0x11a/0x1f0\n   [6.1995]        shrink_node+0xbfd/0x1320\n   [6.1002]        balance_pgdat+0x67f/0xc60\n   [6.1321]        kswapd+0x1dc/0x3e0\n   [6.1643]        kthread+0xff/0x240\n   [6.1965]        ret_from_fork+0x223/0x280\n   [6.1287]        ret_from_fork_asm+0x1a/0x30\n   [6.1616]\n            other info that might help us debug this:\n\n   [6.1561] Chain exists of:\n              \u0026delayed_node-\u003emutex --\u003e btrfs-tree-00 --\u003e fs_reclaim\n\n   [6.1503]  Possible unsafe locking scenario:\n\n   [6.1110]        CPU0                    CPU1\n   [6.1411]        ----                    ----\n   [6.1707]   lock(fs_reclaim);\n   [6.1998]                                lock(btrfs-tree-00);\n   [6.1291]                                lock(fs_reclaim);\n   [6.1581]   lock(\u0026del\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-31T11:39:02.330Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"
        }
      ],
      "title": "btrfs: release path before initializing extent tree in btrfs_read_locked_inode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23018",
    "datePublished": "2026-01-31T11:39:02.330Z",
    "dateReserved": "2026-01-13T15:37:45.940Z",
    "dateUpdated": "2026-01-31T11:39:02.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23018\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-31T12:16:05.100\",\"lastModified\":\"2026-01-31T12:16:05.100\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\\n\\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\\nwhile holding a path with a read locked leaf from a subvolume tree, and\\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\\ntrigger reclaim.\\n\\nThis can create a circular lock dependency which lockdep warns about with\\nthe following splat:\\n\\n   [6.1433] ======================================================\\n   [6.1574] WARNING: possible circular locking dependency detected\\n   [6.1583] 6.18.0+ #4 Tainted: G     U\\n   [6.1591] ------------------------------------------------------\\n   [6.1599] kswapd0/117 is trying to acquire lock:\\n   [6.1606] ffff8d9b6333c5b8 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\\n   [6.1625]\\n            but task is already holding lock:\\n   [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\\n   [6.1646]\\n            which lock already depends on the new lock.\\n\\n   [6.1657]\\n            the existing dependency chain (in reverse order) is:\\n   [6.1667]\\n            -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\\n   [6.1677]        fs_reclaim_acquire+0x9d/0xd0\\n   [6.1685]        __kmalloc_cache_noprof+0x59/0x750\\n   [6.1694]        btrfs_init_file_extent_tree+0x90/0x100\\n   [6.1702]        btrfs_read_locked_inode+0xc3/0x6b0\\n   [6.1710]        btrfs_iget+0xbb/0xf0\\n   [6.1716]        btrfs_lookup_dentry+0x3c5/0x8e0\\n   [6.1724]        btrfs_lookup+0x12/0x30\\n   [6.1731]        lookup_open.isra.0+0x1aa/0x6a0\\n   [6.1739]        path_openat+0x5f7/0xc60\\n   [6.1746]        do_filp_open+0xd6/0x180\\n   [6.1753]        do_sys_openat2+0x8b/0xe0\\n   [6.1760]        __x64_sys_openat+0x54/0xa0\\n   [6.1768]        do_syscall_64+0x97/0x3e0\\n   [6.1776]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n   [6.1784]\\n            -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\\n   [6.1794]        lock_release+0x127/0x2a0\\n   [6.1801]        up_read+0x1b/0x30\\n   [6.1808]        btrfs_search_slot+0x8e0/0xff0\\n   [6.1817]        btrfs_lookup_inode+0x52/0xd0\\n   [6.1825]        __btrfs_update_delayed_inode+0x73/0x520\\n   [6.1833]        btrfs_commit_inode_delayed_inode+0x11a/0x120\\n   [6.1842]        btrfs_log_inode+0x608/0x1aa0\\n   [6.1849]        btrfs_log_inode_parent+0x249/0xf80\\n   [6.1857]        btrfs_log_dentry_safe+0x3e/0x60\\n   [6.1865]        btrfs_sync_file+0x431/0x690\\n   [6.1872]        do_fsync+0x39/0x80\\n   [6.1879]        __x64_sys_fsync+0x13/0x20\\n   [6.1887]        do_syscall_64+0x97/0x3e0\\n   [6.1894]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n   [6.1903]\\n            -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\\n   [6.1913]        __lock_acquire+0x15e9/0x2820\\n   [6.1920]        lock_acquire+0xc9/0x2d0\\n   [6.1927]        __mutex_lock+0xcc/0x10a0\\n   [6.1934]        __btrfs_release_delayed_node.part.0+0x39/0x2f0\\n   [6.1944]        btrfs_evict_inode+0x20b/0x4b0\\n   [6.1952]        evict+0x15a/0x2f0\\n   [6.1958]        prune_icache_sb+0x91/0xd0\\n   [6.1966]        super_cache_scan+0x150/0x1d0\\n   [6.1974]        do_shrink_slab+0x155/0x6f0\\n   [6.1981]        shrink_slab+0x48e/0x890\\n   [6.1988]        shrink_one+0x11a/0x1f0\\n   [6.1995]        shrink_node+0xbfd/0x1320\\n   [6.1002]        balance_pgdat+0x67f/0xc60\\n   [6.1321]        kswapd+0x1dc/0x3e0\\n   [6.1643]        kthread+0xff/0x240\\n   [6.1965]        ret_from_fork+0x223/0x280\\n   [6.1287]        ret_from_fork_asm+0x1a/0x30\\n   [6.1616]\\n            other info that might help us debug this:\\n\\n   [6.1561] Chain exists of:\\n              \u0026delayed_node-\u003emutex --\u003e btrfs-tree-00 --\u003e fs_reclaim\\n\\n   [6.1503]  Possible unsafe locking scenario:\\n\\n   [6.1110]        CPU0                    CPU1\\n   [6.1411]        ----                    ----\\n   [6.1707]   lock(fs_reclaim);\\n   [6.1998]                                lock(btrfs-tree-00);\\n   [6.1291]                                lock(fs_reclaim);\\n   [6.1581]   lock(\u0026del\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.