CVE-2024-48875

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't take dev_replace rwsem on task already holding it

Running fstests btrfs/011 with MKFS_OPTIONS="-O rst" to force the usage of the RAID stripe-tree, we get the following splat from lockdep:

BTRFS info (device sdd): dev_replace from /dev/sdd (devid 1) to /dev/sdb started

============================================ WARNING: possible recursive locking detected 6.11.0-rc3-btrfs-for-next #599 Not tainted

btrfs/2326 is trying to acquire lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

but task is already holding lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

other info that might help us debug this: Possible unsafe locking scenario:

    CPU0
    ----

lock(&fsinfo->devreplace.rwsem); lock(&fsinfo->devreplace.rwsem);

*** DEADLOCK ***

May be due to missing lock nesting notation

1 lock held by btrfs/2326: #0: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250

stack backtrace: CPU: 1 UID: 0 PID: 2326 Comm: btrfs Not tainted 6.11.0-rc3-btrfs-for-next #599 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x5b/0x80 __lockacquire+0x2798/0x69d0 ? pfxlockacquire+0x10/0x10 ? pfxlockacquire+0x10/0x10 lockacquire+0x19d/0x4a0 ? btrfsmapblock+0x39f/0x2250 ? __pfxlockacquire+0x10/0x10 ? findheldlock+0x2d/0x110 ? lockisheldtype+0x8f/0x100 downread+0x8e/0x440 ? btrfsmapblock+0x39f/0x2250 ? __pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x39f/0x2250 ? btrfsdevreplacebyioctl+0xd69/0x1d00 ? btrfsbiocounterincblocked+0xd9/0x2e0 ? __kasanslaballoc+0x6e/0x70 ? __pfxbtrfsmap_block+0x10/0x10 ? __pfxbtrfsbiocounterincblocked+0x10/0x10 ? kmemcacheallocnoprof+0x1f2/0x300 ? mempoolallocnoprof+0xed/0x2b0 btrfssubmitchunk+0x28d/0x17e0 ? __pfxbtrfssubmitchunk+0x10/0x10 ? bvecalloc+0xd7/0x1b0 ? bioaddfolio+0x171/0x270 ? __pfxbioadd_folio+0x10/0x10 ? __kasancheckread+0x20/0x20 btrfs_submitbio+0x37/0x80 readextentbufferpages+0x3df/0x6c0 btrfsreadextentbuffer+0x13e/0x5f0 readtreeblock+0x81/0xe0 readblockforsearch+0x4bd/0x7a0 ? __pfxreadblockforsearch+0x10/0x10 btrfssearchslot+0x78d/0x2720 ? __pfxbtrfssearchslot+0x10/0x10 ? lockisheldtype+0x8f/0x100 ? kasansavetrack+0x14/0x30 ? __kasanslaballoc+0x6e/0x70 ? kmem_cacheallocnoprof+0x1f2/0x300 btrfsgetraidextentoffset+0x181/0x820 ? __pfxlockacquire+0x10/0x10 ? __pfxbtrfsgetraidextentoffset+0x10/0x10 ? downread+0x194/0x440 ? __pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x5b5/0x2250 ? __pfxbtrfsmapblock+0x10/0x10 scrubsubmitinitialread+0x8fe/0x11b0 ? __pfxscrubsubmitinitialread+0x10/0x10 submitinitialgroupread+0x161/0x3a0 ? lockrelease+0x20e/0x710 ? __pfxsubmitinitialgroupread+0x10/0x10 ? __pfxlockrelease+0x10/0x10 scrubsimplemirror.isra.0+0x3eb/0x580 scrubstripe+0xe4d/0x1440 ? lockrelease+0x20e/0x710 ? __pfxscrubstripe+0x10/0x10 ? __pfxlockrelease+0x10/0x10 ? dorawread_unlock+0x44/0x70 ? rawreadunlock+0x23/0x40 scrubchunk+0x257/0x4a0 scrubenumeratechunks+0x64c/0xf70 ? __mutexunlockslowpath+0x147/0x5f0 ? __pfxscrubenumeratechunks+0x10/0x10 ? bitwait_timeout+0xb0/0x170 ? __upread+0x189/0x700 ? scrubworkersget+0x231/0x300 ? upwrite+0x490/0x4f0 btrfsscrubdev+0x52e/0xcd0 ? creatependingsnapshots+0x230/0x250 ? __pfxbtrfsscrubdev+0x10/0x10 btrfsdevreplacebyioctl+0xd69/0x1d00 ? lockacquire+0x19d/0x4a0 ? _pfxbtrfsdevreplacebyioctl+0x10/0x10 ? ---truncated---