{"id":"CVE-2026-23018","summary":"btrfs: release path before initializing extent tree in btrfs_read_locked_inode()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n   [6.1433] ======================================================\n   [6.1574] WARNING: possible circular locking dependency detected\n   [6.1583] 6.18.0+ #4 Tainted: G     U\n   [6.1591] ------------------------------------------------------\n   [6.1599] kswapd0/117 is trying to acquire lock:\n   [6.1606] ffff8d9b6333c5b8 (&delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n   [6.1625]\n            but task is already holding lock:\n   [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n   [6.1646]\n            which lock already depends on the new lock.\n\n   [6.1657]\n            the existing dependency chain (in reverse order) is:\n   [6.1667]\n            -\u003e #2 (fs_reclaim){+.+.}-{0:0}:\n   [6.1677]        fs_reclaim_acquire+0x9d/0xd0\n   [6.1685]        __kmalloc_cache_noprof+0x59/0x750\n   [6.1694]        btrfs_init_file_extent_tree+0x90/0x100\n   [6.1702]        btrfs_read_locked_inode+0xc3/0x6b0\n   [6.1710]        btrfs_iget+0xbb/0xf0\n   [6.1716]        btrfs_lookup_dentry+0x3c5/0x8e0\n   [6.1724]        btrfs_lookup+0x12/0x30\n   [6.1731]        lookup_open.isra.0+0x1aa/0x6a0\n   [6.1739]        path_openat+0x5f7/0xc60\n   [6.1746]        do_filp_open+0xd6/0x180\n   [6.1753]        do_sys_openat2+0x8b/0xe0\n   [6.1760]        __x64_sys_openat+0x54/0xa0\n   [6.1768]        do_syscall_64+0x97/0x3e0\n   [6.1776]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [6.1784]\n            -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n   [6.1794]        lock_release+0x127/0x2a0\n   [6.1801]        up_read+0x1b/0x30\n   [6.1808]        btrfs_search_slot+0x8e0/0xff0\n   [6.1817]        btrfs_lookup_inode+0x52/0xd0\n   [6.1825]        __btrfs_update_delayed_inode+0x73/0x520\n   [6.1833]        btrfs_commit_inode_delayed_inode+0x11a/0x120\n   [6.1842]        btrfs_log_inode+0x608/0x1aa0\n   [6.1849]        btrfs_log_inode_parent+0x249/0xf80\n   [6.1857]        btrfs_log_dentry_safe+0x3e/0x60\n   [6.1865]        btrfs_sync_file+0x431/0x690\n   [6.1872]        do_fsync+0x39/0x80\n   [6.1879]        __x64_sys_fsync+0x13/0x20\n   [6.1887]        do_syscall_64+0x97/0x3e0\n   [6.1894]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   [6.1903]\n            -\u003e #0 (&delayed_node-\u003emutex){+.+.}-{3:3}:\n   [6.1913]        __lock_acquire+0x15e9/0x2820\n   [6.1920]        lock_acquire+0xc9/0x2d0\n   [6.1927]        __mutex_lock+0xcc/0x10a0\n   [6.1934]        __btrfs_release_delayed_node.part.0+0x39/0x2f0\n   [6.1944]        btrfs_evict_inode+0x20b/0x4b0\n   [6.1952]        evict+0x15a/0x2f0\n   [6.1958]        prune_icache_sb+0x91/0xd0\n   [6.1966]        super_cache_scan+0x150/0x1d0\n   [6.1974]        do_shrink_slab+0x155/0x6f0\n   [6.1981]        shrink_slab+0x48e/0x890\n   [6.1988]        shrink_one+0x11a/0x1f0\n   [6.1995]        shrink_node+0xbfd/0x1320\n   [6.1002]        balance_pgdat+0x67f/0xc60\n   [6.1321]        kswapd+0x1dc/0x3e0\n   [6.1643]        kthread+0xff/0x240\n   [6.1965]        ret_from_fork+0x223/0x280\n   [6.1287]        ret_from_fork_asm+0x1a/0x30\n   [6.1616]\n            other info that might help us debug this:\n\n   [6.1561] Chain exists of:\n              &delayed_node-\u003emutex --\u003e btrfs-tree-00 --\u003e fs_reclaim\n\n   [6.1503]  Possible unsafe locking scenario:\n\n   [6.1110]        CPU0                    CPU1\n   [6.1411]        ----                    ----\n   [6.1707]   lock(fs_reclaim);\n   [6.1998]                                lock(btrfs-tree-00);\n   [6.1291]                                lock(fs_reclaim);\n   [6.1581]   lock(&del\n---truncated---","modified":"2026-04-02T17:30:07.511243430Z","published":"2026-01-31T11:39:02.330Z","related":["SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23018.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23018.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23018"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8679d2687c351824d08cf1f0e86f3b65f22a00fe"},{"fixed":"92a5590851144f034adc51fee55e6878ccac716e"},{"fixed":"8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"e8f496001e0c7832d188ab91fea294e19a128202"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23018.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.18.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23018.json"}}],"schema_version":"1.7.5"}