{"id":"CVE-2023-54224","summary":"btrfs: fix lockdep splat and potential deadlock after failure running delayed items","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node's mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node's mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n ------------------------------------------------------\n syz-executor.2/13257 is trying to acquire lock:\n ffff88801835c0c0 (&delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n but task is already holding lock:\n ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n __lock_release kernel/locking/lockdep.c:5475 [inline]\n lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n search_leaf fs/btrfs/ctree.c:1986 [inline]\n btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n kthread+0x2b8/0x350 kernel/kthread.c:389\n ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n -\u003e #0 (&delayed_node-\u003emutex){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n __mutex_lock kernel/locking/mutex.c:747 [inline]\n mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n vfs_fsync_range fs/sync.c:188 [inline]\n vfs_fsync fs/sync.c:202 [inline]\n do_fsync fs/sync.c:212 [inline]\n __do_sys_fsync fs/sync.c:220 [inline]\n __se_sys_fsync fs/sync.c:218 [inline]\n __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info that\n---truncated---","modified":"2026-03-31T17:30:04.660793991Z","published":"2025-12-30T12:11:18.076Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54224.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54224.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54224"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"506650dcb3a716ad98681f7091ba2f8e748c04b8"},{"fixed":"779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"},{"fixed":"32247b9526bfdaeef85f7339d9b4f913c7370f92"},{"fixed":"36d918da3f1bf749178c7daf471a3be1730ed3ca"},{"fixed":"e110f8911ddb93e6f55da14ccbbe705397b30d0b"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54224.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.15.133"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.55"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.5.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54224.json"}}],"schema_version":"1.7.5"}