CVE-2023-54281

In the Linux kernel, the following vulnerability has been resolved:

btrfs: release path before inode lookup during the ino lookup ioctl

During the ino lookup ioctl we can end up calling btrfsiget() to get an inode reference while we are holding on a root's btree. If btrfsiget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat:

WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted

syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: _btrfstreereadlock+0x2f/0x220 fs/btrfs/locking.c:136

but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: _btrfstreereadlock+0x2f/0x220 fs/btrfs/locking.c:136

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (btrfs-tree-00){++++}-{3:3}: downreadnested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfstreereadlock+0x2f/0x220 fs/btrfs/locking.c:136 btrfssearchslot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfsinitrootfreeobjectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfsinitfsroot fs/btrfs/disk-io.c:1128 [inline] btrfsgetrootref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfsgetfsroot fs/btrfs/disk-io.c:1390 [inline] openctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfsfillsuper+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfsmountroot+0x7e0/0x910 fs/btrfs/super.c:1519 legacygettree+0xef/0x190 fs/fscontext.c:611 vfsgettree+0x8c/0x270 fs/super.c:1519 fcmount fs/namespace.c:1112 [inline] vfskernmount+0xbc/0x150 fs/namespace.c:1142 btrfsmount+0x39f/0xb50 fs/btrfs/super.c:1579 legacygettree+0xef/0x190 fs/fscontext.c:611 vfsgettree+0x8c/0x270 fs/super.c:1519 donewmount+0x28f/0xae0 fs/namespace.c:3335 domount fs/namespace.c:3675 [inline] __dosysmount fs/namespace.c:3884 [inline] __sesysmount+0x2d9/0x3c0 fs/namespace.c:3861 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

-> #0 (btrfs-tree-01){++++}-{3:3}: checkprevadd kernel/locking/lockdep.c:3142 [inline] checkprevsadd kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lockacquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lockacquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 downreadnested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfstreereadlock+0x2f/0x220 fs/btrfs/locking.c:136 btrfstreereadlock fs/btrfs/locking.c:142 [inline] btrfsreadlockrootnode+0x292/0x3c0 fs/btrfs/locking.c:281 btrfssearchslotgetroot fs/btrfs/ctree.c:1832 [inline] btrfssearchslot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfslookupinode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfsreadlockedinode fs/btrfs/inode.c:3892 [inline] btrfsigetpath+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfssearchpathintreeuser fs/btrfs/ioctl.c:1961 [inline] btrfsioctlinolookupuser+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfsioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:870 [inline] __sesysioctl+0xf8/0x170 fs/ioctl.c:856 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

other info ---truncated---