CVE-2026-31598

Source
https://cve.org/CVERecord?id=CVE-2026-31598
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31598.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31598
Downstream
Related
Published
2026-04-24T14:42:23.304Z
Modified
2026-06-18T03:55:07.262389072Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ocfs2: fix possible deadlock between unlink and dio_end_io_write
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix possible deadlock between unlink and dioendio_write

ocfs2unlink takes orphan dir inodelock first and then ipallocsem, while in ocfs2dioendiowrite, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2sysfilelockkey[ORPHANDIRSYSTEMINODE] and ocfs2fileipallocsem_key.

Lock Chain #0 (orphan dir inodelock -> ipallocsem): ocfs2unlink ocfs2prepareorphandir ocfs2lookuplockorphandir inodelock(orphandirinode) <- lock A _ocfs2prepareorphandir ocfs2preparedirforinsert ocfs2extenddir ocfs2expandinlinedir downwrite(&oi->ipallocsem) <- Lock B

Lock Chain #1 (ipallocsem -> orphan dir inodelock): ocfs2dioendiowrite downwrite(&oi->ipallocsem) <- Lock B ocfs2delinodefromorphan() inodelock(orphandir_inode) <- Lock A

Deadlock Scenario: CPU0 (unlink) CPU1 (dioendiowrite) ------ ------ inodelock(orphandirinode) downwrite(ipallocsem) downwrite(ipallocsem) inodelock(orphandir_inode)

Since ipallocsem is to protect allocation changes, which is unrelated with operations in ocfs2delinodefromorphan. So move ocfs2delinodefromorphan out of ipallocsem to fix the deadlock.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31598.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a86a72a4a4e0ec109a98e2737948864ed6794bf7
Fixed
297d8d7bb6a2bf133d3a3636edbdf94101cbd719
Fixed
32630dee18c6bb2175c8a865a474749492eaf19c
Fixed
93f35419eb84d58820040642cb6e7528fe4aba7a
Fixed
4b80b5a838a32437f2cae0662578bac216a2c51a
Fixed
2b884d52273c60c298bd570163e8053657bbaff6
Fixed
bc0fb5c7d54c78be43a536df0e20dee32adb27d3
Fixed
f9fb1a7b635849322e1d7b7b6b26389778ec8e82
Fixed
e049f7a9bd80b7319590789ea5e1c523d6339d91
Fixed
b02da26a992db0c0e2559acbda0fc48d4a2fd337

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31598.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.6.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31598.json"