{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26658","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.147Z","datePublished":"2024-04-02T06:22:08.468Z","dateUpdated":"2025-05-04T08:53:17.025Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:53:17.025Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n    $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n    sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n  destination: file\n  logAppend: true\n  path: /mnt/data/mongod.log\n\nstorage:\n  dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G            E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n               but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n               which lock already depends on the new lock.\n\n[ 3437.456553]\n               the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n               -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507]        down_read+0x3e/0x170\n[ 3437.457772]        bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206]        __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498]        do_syscall_64+0x42/0xf0\n[ 3437.458779]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n               -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615]        down_read+0x3e/0x170\n[ 3437.459878]        bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276]        bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686]        notify_change+0x1f1/0x4a0\n[ 3437.461283]        do_truncate+0x7f/0xd0\n[ 3437.461555]        path_openat+0xa57/0xce0\n[ 3437.461836]        do_filp_open+0xb4/0x160\n[ 3437.462116]        do_sys_openat2+0x91/0xc0\n[ 3437.462402]        __x64_sys_openat+0x53/0xa0\n[ 3437.462701]        do_syscall_64+0x42/0xf0\n[ 3437.462982]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n               -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843]        down_write+0x3b/0xc0\n[ 3437.464223]        bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493]        vfs_write+0x21b/0x4c0\n[ 3437.464653]        ksys_write+0x69/0xf0\n[ 3437.464839]        do_syscall_64+0x42/0xf0\n[ 3437.465009]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n               -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471]        __lock_acquire+0x1455/0x21b0\n[ 3437.465656]        lock_acquire+0xc6/0x2b0\n[ 3437.465822]        mnt_want_write+0x46/0x1a0\n[ 3437.465996]        filename_create+0x62/0x190\n[ 3437.466175]        user_path_create+0x2d/0x50\n[ 3437.466352]        bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617]        __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791]        do_syscall_64+0x42/0xf0\n[ 3437.466957]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n               other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n               other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n                 sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979]  Possible unsafe locking scenario:\n\n[ 3437.468223]        CPU0                    CPU1\n[ 3437.468405]        ----                    ----\n[ 3437.468585]   rlock(&type->s_umount_key#48);\n[ 3437.468758]                                lock(&c->snapshot_create_lock);\n[ 3437.469030]                                lock(&type->s_umount_key#48);\n[ 3437.469291]   rlock(sb_writers#10);\n[ 3437.469434]\n                *** DEADLOCK ***\n\n[ 3437.469\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/bcachefs/fs-ioctl.c"],"versions":[{"version":"1c6fdbd8f2465ddfb73a01ec620cbf3d14044e1a","lessThan":"5b41d3fd04c6757b9c2a60a0c5b2609cae9999df","status":"affected","versionType":"git"},{"version":"1c6fdbd8f2465ddfb73a01ec620cbf3d14044e1a","lessThan":"2acc59dd88d27ad69b66ded80df16c042b04eeec","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/bcachefs/fs-ioctl.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.7.5","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df"},{"url":"https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec"}],"title":"bcachefs: grab s_umount only if snapshotting","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26658","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-02T18:32:11.328360Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:48:42.039Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:12.825Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec","tags":["x_transferred"]}]}]}}