{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54281","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.525Z","datePublished":"2025-12-30T12:23:23.122Z","dateUpdated":"2026-05-11T19:58:56.391Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:58:56.391Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root's btree. If btrfs_iget()\nneeds to lookup the inode from the root's btree, because it's not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n  WARNING: possible circular locking dependency detected\n  6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n  ------------------------------------------------------\n  syz-executor277/5012 is trying to acquire lock:\n  ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n  but task is already holding lock:\n  ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n  which lock already depends on the new lock.\n\n  the existing dependency chain (in reverse order) is:\n\n  -> #1 (btrfs-tree-00){++++}-{3:3}:\n         down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n         __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n         btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n         btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n         btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n         btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n         btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n         open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n         btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n         btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n         legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n         vfs_get_tree+0x8c/0x270 fs/super.c:1519\n         fc_mount fs/namespace.c:1112 [inline]\n         vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n         btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n         legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n         vfs_get_tree+0x8c/0x270 fs/super.c:1519\n         do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n         do_mount fs/namespace.c:3675 [inline]\n         __do_sys_mount fs/namespace.c:3884 [inline]\n         __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  -> #0 (btrfs-tree-01){++++}-{3:3}:\n         check_prev_add kernel/locking/lockdep.c:3142 [inline]\n         check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n         validate_chain kernel/locking/lockdep.c:3876 [inline]\n         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n         down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n         __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n         btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n         btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n         btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n         btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n         btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n         btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n         btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n         btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n         btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n         btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n         vfs_ioctl fs/ioctl.c:51 [inline]\n         __do_sys_ioctl fs/ioctl.c:870 [inline]\n         __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n         do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n         entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  other info \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/ioctl.c"],"versions":[{"version":"23d0b79dfaed2305b500b0215b0421701ada6b1a","lessThan":"7390bb377b5fb3be23cb021e0f184d1f576be7d6","status":"affected","versionType":"git"},{"version":"23d0b79dfaed2305b500b0215b0421701ada6b1a","lessThan":"380bbd46d61c894a8dcaace09e54bc7426d81014","status":"affected","versionType":"git"},{"version":"23d0b79dfaed2305b500b0215b0421701ada6b1a","lessThan":"50e385d98b2a52480836ea41c142b81eeeb277af","status":"affected","versionType":"git"},{"version":"23d0b79dfaed2305b500b0215b0421701ada6b1a","lessThan":"6fdce81e425be112f1ca129776f4041afeaad413","status":"affected","versionType":"git"},{"version":"23d0b79dfaed2305b500b0215b0421701ada6b1a","lessThan":"ee34a82e890a7babb5585daf1a6dd7d4d1cf142a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/ioctl.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"5.10.197","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.133","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.55","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.5.5","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.10.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.133"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.1.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.5.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6"},{"url":"https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014"},{"url":"https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af"},{"url":"https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413"},{"url":"https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a"}],"title":"btrfs: release path before inode lookup during the ino lookup ioctl","x_generator":{"engine":"bippy-1.2.0"}}}}