In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't take dev_replace rwsem on task already holding it
Running fstests btrfs/011 with MKFS_OPTIONS="-O rst" to force the usage of the RAID stripe-tree, we get the following splat from lockdep:
BTRFS info (device sdd): dev_replace from /dev/sdd (devid 1) to /dev/sdb started
============================================ WARNING: possible recursive locking detected 6.11.0-rc3-btrfs-for-next #599 Not tainted
btrfs/2326 is trying to acquire lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250
but task is already holding lock: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250
other info that might help us debug this: Possible unsafe locking scenario:
CPU0
----
lock(&fsinfo->devreplace.rwsem); lock(&fsinfo->devreplace.rwsem);
* DEADLOCK *
May be due to missing lock nesting notation
1 lock held by btrfs/2326: #0: ffff88810f215c98 (&fsinfo->devreplace.rwsem){++++}-{3:3}, at: btrfsmapblock+0x39f/0x2250
stack backtrace: CPU: 1 UID: 0 PID: 2326 Comm: btrfs Not tainted 6.11.0-rc3-btrfs-for-next #599 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x5b/0x80 lockacquire+0x2798/0x69d0 ? _pfxlockacquire+0x10/0x10 ? pfxlockacquire+0x10/0x10 lockacquire+0x19d/0x4a0 ? btrfsmapblock+0x39f/0x2250 ? _pfxlockacquire+0x10/0x10 ? findheldlock+0x2d/0x110 ? lockisheldtype+0x8f/0x100 downread+0x8e/0x440 ? btrfsmapblock+0x39f/0x2250 ? _pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x39f/0x2250 ? btrfsdevreplacebyioctl+0xd69/0x1d00 ? btrfsbiocounterincblocked+0xd9/0x2e0 ? _kasanslaballoc+0x6e/0x70 ? _pfxbtrfsmapblock+0x10/0x10 ? _pfxbtrfsbiocounterincblocked+0x10/0x10 ? kmemcacheallocnoprof+0x1f2/0x300 ? mempoolallocnoprof+0xed/0x2b0 btrfssubmitchunk+0x28d/0x17e0 ? _pfxbtrfssubmitchunk+0x10/0x10 ? bvecalloc+0xd7/0x1b0 ? bioaddfolio+0x171/0x270 ? _pfxbioaddfolio+0x10/0x10 ? _kasancheckread+0x20/0x20 btrfssubmitbio+0x37/0x80 readextentbufferpages+0x3df/0x6c0 btrfsreadextentbuffer+0x13e/0x5f0 readtreeblock+0x81/0xe0 readblockforsearch+0x4bd/0x7a0 ? _pfxreadblockforsearch+0x10/0x10 btrfssearchslot+0x78d/0x2720 ? _pfxbtrfssearchslot+0x10/0x10 ? lockisheldtype+0x8f/0x100 ? kasansavetrack+0x14/0x30 ? _kasanslaballoc+0x6e/0x70 ? kmemcacheallocnoprof+0x1f2/0x300 btrfsgetraidextentoffset+0x181/0x820 ? _pfxlockacquire+0x10/0x10 ? _pfxbtrfsgetraidextentoffset+0x10/0x10 ? downread+0x194/0x440 ? _pfxdownread+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 btrfsmapblock+0x5b5/0x2250 ? _pfxbtrfsmapblock+0x10/0x10 scrubsubmitinitialread+0x8fe/0x11b0 ? _pfxscrubsubmitinitialread+0x10/0x10 submitinitialgroupread+0x161/0x3a0 ? lockrelease+0x20e/0x710 ? _pfxsubmitinitialgroupread+0x10/0x10 ? _pfxlockrelease+0x10/0x10 scrubsimplemirror.isra.0+0x3eb/0x580 scrubstripe+0xe4d/0x1440 ? lockrelease+0x20e/0x710 ? _pfxscrubstripe+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? dorawreadunlock+0x44/0x70 ? rawreadunlock+0x23/0x40 scrubchunk+0x257/0x4a0 scrubenumeratechunks+0x64c/0xf70 ? _mutexunlockslowpath+0x147/0x5f0 ? _pfxscrubenumeratechunks+0x10/0x10 ? bitwaittimeout+0xb0/0x170 ? _upread+0x189/0x700 ? scrubworkersget+0x231/0x300 ? upwrite+0x490/0x4f0 btrfsscrubdev+0x52e/0xcd0 ? creatependingsnapshots+0x230/0x250 ? _pfxbtrfsscrubdev+0x10/0x10 btrfsdevreplacebyioctl+0xd69/0x1d00 ? lockacquire+0x19d/0x4a0 ? _pfxbtrfsdevreplaceby_ioctl+0x10/0x10 ? ---truncated---
{ "vanir_signatures": [ { "id": "CVE-2024-48875-301d89a9", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "89561053188062163029658491163874700937", "194584017845549186669406989830946904873", "301991668634536301789193890540834634240", "78375566297952529764411803250480451557", "26894147528213403367125085869983156717", "221188941688427712358742053933472484945", "188362393354282505439843655228169753731", "127248478674938930911215455501749707548", "292421774870989317863501154544117786622", "105682173196129669477966105957798509029" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/volumes.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-40ff83aa", "signature_type": "Function", "digest": { "function_hash": "321384248411613528145615277520393830547", "length": 3168.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_finishing" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-48a8b80e", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "187502556001984696808493845974888326882", "178937225821511399134776831020525004714", "167713437092058063124493208162469996127", "316411750668308083648712356741829451418" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/fs.h" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-56b62ac4", "signature_type": "Function", "digest": { "function_hash": "117217873426049199888624910397438744128", "length": 2604.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_start" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-821a5216", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "335275501569059475363812136912633769850", "101232250375157872764717707299751717165", "245799082626741175977740466252681439337", "30544346098459035191744051950458038321", "86106467650098893411820797124969546362", "89547665351660424246365823982881355711", "162548783659272824852258801024308188705" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/dev-replace.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-86bd5c89", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "335275501569059475363812136912633769850", "101232250375157872764717707299751717165", "245799082626741175977740466252681439337", "30544346098459035191744051950458038321", "86106467650098893411820797124969546362", "89547665351660424246365823982881355711", "162548783659272824852258801024308188705" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/dev-replace.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-94b407f3", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "89561053188062163029658491163874700937", "194584017845549186669406989830946904873", "301991668634536301789193890540834634240", "78375566297952529764411803250480451557", "26894147528213403367125085869983156717", "221188941688427712358742053933472484945", "188362393354282505439843655228169753731", "127248478674938930911215455501749707548", "292421774870989317863501154544117786622", "105682173196129669477966105957798509029" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/volumes.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-97c8b0c3", "signature_type": "Function", "digest": { "function_hash": "107843660177074191282425599301340474230", "length": 3367.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/volumes.c", "function": "btrfs_map_block" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-9bbd9d45", "signature_type": "Function", "digest": { "function_hash": "308912161650627461267980648378145172946", "length": 2591.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_start" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-a3d844f7", "signature_type": "Function", "digest": { "function_hash": "321384248411613528145615277520393830547", "length": 3168.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_finishing" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-a592edab", "signature_type": "Function", "digest": { "function_hash": "107843660177074191282425599301340474230", "length": 3367.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/volumes.c", "function": "btrfs_map_block" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-aa42b3d1", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "2876197192469214935729078588327206018", "216717582279630876369202707371799100115", "88517014379399857760101107655176922457", "78375566297952529764411803250480451557", "234017748492663177094779612603676175262", "62020584373305025149915835719436704522", "304783684469304637757541248390078868492", "329363458056983769297785097265624572140", "292421774870989317863501154544117786622", "105682173196129669477966105957798509029" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/volumes.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-acad1ae7", "signature_type": "Function", "digest": { "function_hash": "164113701932556696351960039835133790047", "length": 3210.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_finishing" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-b56234c3", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "187502556001984696808493845974888326882", "178937225821511399134776831020525004714", "167713437092058063124493208162469996127", "316411750668308083648712356741829451418" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cca35cb29f81eba3e96ec44dad8696c8a2f9138", "target": { "file": "fs/btrfs/fs.h" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-c11defe9", "signature_type": "Function", "digest": { "function_hash": "308912161650627461267980648378145172946", "length": 2591.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/dev-replace.c", "function": "btrfs_dev_replace_start" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-ea7a342a", "signature_type": "Function", "digest": { "function_hash": "313170960301980861348486250199948442951", "length": 3720.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/volumes.c", "function": "btrfs_map_block" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-fa3e5248", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "187502556001984696808493845974888326882", "178937225821511399134776831020525004714", "167713437092058063124493208162469996127", "316411750668308083648712356741829451418" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5bc4e030f50fdbb1fbc69acc1e0c5f57c79d044", "target": { "file": "fs/btrfs/fs.h" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2024-48875-fed76acf", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "335275501569059475363812136912633769850", "101232250375157872764717707299751717165", "245799082626741175977740466252681439337", "30544346098459035191744051950458038321", "86106467650098893411820797124969546362", "89547665351660424246365823982881355711", "162548783659272824852258801024308188705" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2e99dcd7aafa9d474f7d9b0740b8f93c4e156c2", "target": { "file": "fs/btrfs/dev-replace.c" }, "deprecated": false, "signature_version": "v1" } ] }