CVE-2023-54281

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: release path before inode lookup during the ino lookup ioctl<br /> <br /> During the ino lookup ioctl we can end up calling btrfs_iget() to get an<br /> inode reference while we are holding on a root&amp;#39;s btree. If btrfs_iget()<br /> needs to lookup the inode from the root&amp;#39;s btree, because it&amp;#39;s not<br /> currently loaded in memory, then it will need to lock another or the<br /> same path in the same root btree. This may result in a deadlock and<br /> trigger the following lockdep splat:<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted<br /> ------------------------------------------------------<br /> syz-executor277/5012 is trying to acquire lock:<br /> ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136<br /> <br /> but task is already holding lock:<br /> ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (btrfs-tree-00){++++}-{3:3}:<br /> down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645<br /> __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136<br /> btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302<br /> btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955<br /> btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]<br /> btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338<br /> btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]<br /> open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494<br /> btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154<br /> btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519<br /> legacy_get_tree+0xef/0x190 fs/fs_context.c:611<br /> vfs_get_tree+0x8c/0x270 fs/super.c:1519<br /> fc_mount fs/namespace.c:1112 [inline]<br /> vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142<br /> btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579<br /> legacy_get_tree+0xef/0x190 fs/fs_context.c:611<br /> vfs_get_tree+0x8c/0x270 fs/super.c:1519<br /> do_new_mount+0x28f/0xae0 fs/namespace.c:3335<br /> do_mount fs/namespace.c:3675 [inline]<br /> __do_sys_mount fs/namespace.c:3884 [inline]<br /> __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> -&gt; #0 (btrfs-tree-01){++++}-{3:3}:<br /> check_prev_add kernel/locking/lockdep.c:3142 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3261 [inline]<br /> validate_chain kernel/locking/lockdep.c:3876 [inline]<br /> __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144<br /> lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761<br /> down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645<br /> __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136<br /> btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]<br /> btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281<br /> btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]<br /> btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154<br /> btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412<br /> btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]<br /> btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716<br /> btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]<br /> btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105<br /> btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:870 [inline]<br /> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> other info <br /> ---truncated---