CVE-2023-54281 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014
https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af
https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413
https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6
https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted ------------------------------------------------------ syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info ---truncated---
Title		btrfs: release path before inode lookup during the ino lookup ioctl
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014 https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413 https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6 https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54281", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.525Z", "datePublished": "2025-12-30T12:23:23.122Z", "dateUpdated": "2025-12-30T12:23:23.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:23:23.122Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root's btree. If btrfs_iget()\nneeds to lookup the inode from the root's btree, because it's not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n ------------------------------------------------------\n syz-executor277/5012 is trying to acquire lock:\n ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n but task is already holding lock:\n ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n fc_mount fs/namespace.c:1112 [inline]\n vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n -> #0 (btrfs-tree-01){++++}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/ioctl.c"], "versions": [{"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a", "lessThan": "7390bb377b5fb3be23cb021e0f184d1f576be7d6", "status": "affected", "versionType": "git"}, {"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a", "lessThan": "380bbd46d61c894a8dcaace09e54bc7426d81014", "status": "affected", "versionType": "git"}, {"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a", "lessThan": "50e385d98b2a52480836ea41c142b81eeeb277af", "status": "affected", "versionType": "git"}, {"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a", "lessThan": "6fdce81e425be112f1ca129776f4041afeaad413", "status": "affected", "versionType": "git"}, {"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a", "lessThan": "ee34a82e890a7babb5585daf1a6dd7d4d1cf142a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/ioctl.c"], "versions": [{"version": "4.18", "status": "affected"}, {"version": "0", "lessThan": "4.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.197", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.133", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.55", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.5", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.10.197"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.15.133"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.1.55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.5.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6"}, {"url": "https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014"}, {"url": "https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af"}, {"url": "https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413"}, {"url": "https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a"}], "title": "btrfs: release path before inode lookup during the ino lookup ioctl", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root's btree. If btrfs_iget()\nneeds to lookup the inode from the root's btree, because it's not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n ------------------------------------------------------\n syz-executor277/5012 is trying to acquire lock:\n ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n but task is already holding lock:\n ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n fc_mount fs/namespace.c:1112 [inline]\n vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n -> #0 (btrfs-tree-01){++++}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info \n---truncated---"}], "id": "CVE-2023-54281", "lastModified": "2025-12-30T13:16:17.070", "metrics": {}, "published": "2025-12-30T13:16:17.070", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object