CVE-2024-48875

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't take dev_replace rwsem on task already holding it

Running fstests btrfs/011 with MKFS_OPTIONS="-O rst" to force the usage of the RAID stripe-tree, we get the following splat from lockdep:

BTRFS info (device sdd): dev_replace from /dev/sdd (devid 1) to /dev/sdb started

============================================ WARNING: possible recursive locking detected 6.11.0-rc3-btrfs-for-next #599 Not tainted

btrfs/2326 is trying to acquire lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

but task is already holding lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

other info that might help us debug this: Possible unsafe locking scenario:

    CPU0
    ----

lock(&fsinfo->devreplace.rwsem); lock(&fsinfo->devreplace.rwsem);

* DEADLOCK *

May be due to missing lock nesting notation

1 lock held by btrfs/2326: #0: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

stack backtrace: CPU: 1 UID: 0 PID: 2326 Comm: btrfs Not tainted 6.11.0-rc3-btrfs-for-next #599 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x5b/0x80 lockacquire+0x2798/0x69d0 ? _pfxlockacquire+0x10/0x10 ? pfxlockacquire+0x10/0x10 lockacquire+0x19d/0x4a0 ? btrfsmapblock+0x39f/0x2250 ? _pfxlockacquire+0x10/0x10 ? findheldlock+0x2d/0x110 ? lockisheldtype+0x8f/0x100 downread+0x8e/0x440 ? btrfsmapblock+0x39f/0x2250 ? _pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x39f/0x2250 ? btrfsdevreplacebyioctl+0xd69/0x1d00 ? btrfsbiocounterincblocked+0xd9/0x2e0 ? _kasanslaballoc+0x6e/0x70 ? _pfxbtrfsmapblock+0x10/0x10 ? _pfxbtrfsbiocounterincblocked+0x10/0x10 ? kmemcacheallocnoprof+0x1f2/0x300 ? mempoolallocnoprof+0xed/0x2b0 btrfssubmitchunk+0x28d/0x17e0 ? _pfxbtrfssubmitchunk+0x10/0x10 ? bvecalloc+0xd7/0x1b0 ? bioaddfolio+0x171/0x270 ? _pfxbioaddfolio+0x10/0x10 ? _kasancheckread+0x20/0x20 btrfssubmitbio+0x37/0x80 readextentbufferpages+0x3df/0x6c0 btrfsreadextentbuffer+0x13e/0x5f0 readtreeblock+0x81/0xe0 readblockforsearch+0x4bd/0x7a0 ? _pfxreadblockforsearch+0x10/0x10 btrfssearchslot+0x78d/0x2720 ? _pfxbtrfssearchslot+0x10/0x10 ? lockisheldtype+0x8f/0x100 ? kasansavetrack+0x14/0x30 ? _kasanslaballoc+0x6e/0x70 ? kmemcacheallocnoprof+0x1f2/0x300 btrfsgetraidextentoffset+0x181/0x820 ? _pfxlockacquire+0x10/0x10 ? _pfxbtrfsgetraidextentoffset+0x10/0x10 ? downread+0x194/0x440 ? _pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x5b5/0x2250 ? _pfxbtrfsmapblock+0x10/0x10 scrubsubmitinitialread+0x8fe/0x11b0 ? _pfxscrubsubmitinitialread+0x10/0x10 submitinitialgroupread+0x161/0x3a0 ? lockrelease+0x20e/0x710 ? _pfxsubmitinitialgroupread+0x10/0x10 ? _pfxlockrelease+0x10/0x10 scrubsimplemirror.isra.0+0x3eb/0x580 scrubstripe+0xe4d/0x1440 ? lockrelease+0x20e/0x710 ? _pfxscrubstripe+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 scrubchunk+0x257/0x4a0 scrubenumeratechunks+0x64c/0xf70 ? _mutexunlockslowpath+0x147/0x5f0 ? _pfxscrubenumeratechunks+0x10/0x10 ? bitwaittimeout+0xb0/0x170 ? _upread+0x189/0x700 ? scrubworkersget+0x231/0x300 ? upwrite+0x490/0x4f0 btrfsscrubdev+0x52e/0xcd0 ? creatependingsnapshots+0x230/0x250 ? _pfxbtrfsscrubdev+0x10/0x10 btrfsdevreplacebyioctl+0xd69/0x1d00 ? lockacquire+0x19d/0x4a0 ? _pfxbtrfsdevreplaceby_ioctl+0x10/0x10 ? ---truncated---