{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54224","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.501Z","datePublished":"2025-12-30T12:11:18.076Z","dateUpdated":"2026-05-11T19:57:50.965Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:57:50.965Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node's mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node's mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n  ------------------------------------------------------\n  syz-executor.2/13257 is trying to acquire lock:\n  ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n  but task is already holding lock:\n  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -> #1 (btrfs-tree-00){++++}-{3:3}:\n         __lock_release kernel/locking/lockdep.c:5475 [inline]\n         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n         up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n         search_leaf fs/btrfs/ctree.c:1986 [inline]\n         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n         kthread+0x2b8/0x350 kernel/kthread.c:389\n         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n  -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n         __mutex_lock kernel/locking/mutex.c:747 [inline]\n         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n         vfs_fsync_range fs/sync.c:188 [inline]\n         vfs_fsync fs/sync.c:202 [inline]\n         do_fsync fs/sync.c:212 [inline]\n         __do_sys_fsync fs/sync.c:220 [inline]\n         __se_sys_fsync fs/sync.c:218 [inline]\n         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info that\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/delayed-inode.c"],"versions":[{"version":"506650dcb3a716ad98681f7091ba2f8e748c04b8","lessThan":"779c3cf2749c7a7bad6f839cb2954a25ba92f4d6","status":"affected","versionType":"git"},{"version":"506650dcb3a716ad98681f7091ba2f8e748c04b8","lessThan":"32247b9526bfdaeef85f7339d9b4f913c7370f92","status":"affected","versionType":"git"},{"version":"506650dcb3a716ad98681f7091ba2f8e748c04b8","lessThan":"36d918da3f1bf749178c7daf471a3be1730ed3ca","status":"affected","versionType":"git"},{"version":"506650dcb3a716ad98681f7091ba2f8e748c04b8","lessThan":"e110f8911ddb93e6f55da14ccbbe705397b30d0b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/delayed-inode.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.15.133","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.55","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.5.5","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.133"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.5.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"},{"url":"https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"},{"url":"https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"},{"url":"https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"}],"title":"btrfs: fix lockdep splat and potential deadlock after failure running delayed items","x_generator":{"engine":"bippy-1.2.0"}}}}