CVE-2026-23036

In the Linux kernel, the following vulnerability has been resolved:

btrfs: release path before igetfailed() in btrfsreadlockedinode()

In btrfsreadlockedinode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call igetfailed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode starts by taking the node's mutex and then modifying the inode's subvolume btree.

Syzbot reported the following lockdep splat for this:

====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted

btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: _btrfsreleasedelayednode+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290

but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfstreereadlocknested+0x44/0x2ec fs/btrfs/locking.c:145

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (btrfs-tree-00){++++}-{4:4}: __lockrelease kernel/locking/lockdep.c:5574 [inline] lockrelease+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfstreereadunlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfstreeunlockrw fs/btrfs/locking.h:218 [inline] btrfssearchslot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfslookupinode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfsupdatedelayedinode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfsupdatedelayedinode fs/btrfs/delayed-inode.c:1118 [inline] __btrfscommitinodedelayeditems+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 _btrfsrundelayeditems+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfsrundelayeditemsnr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flushspace+0x26c/0xb68 fs/btrfs/space-info.c:828 doasyncreclaimmetadataspace+0x110/0x364 fs/btrfs/space-info.c:1158 btrfsasyncreclaimmetadataspace+0x90/0xd8 fs/btrfs/space-info.c:1226 processonework+0x7e8/0x155c kernel/workqueue.c:3263 processscheduledworks kernel/workqueue.c:3346 [inline] workerthread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 retfromfork+0x10/0x20 arch/arm64/kernel/entry.S:844

-> #0 (&delayednode->mutex){+.+.}-{4:4}: checkprevadd kernel/locking/lockdep.c:3165 [inline] checkprevsadd kernel/locking/lockdep.c:3284 [inline] validatechain kernel/locking/lockdep.c:3908 [inline] __lockacquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lockacquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutexlockcommon+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutexlock kernel/locking/mutex.c:760 [inline] mutexlock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfsreleasedelayednode+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfsreleasedelayednode fs/btrfs/delayed-inode.c:315 [inline] btrfsremovedelayednode+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfsevictinode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iputfinal fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 igetfailed+0xec/0x134 fs/badinode.c:248 btrfsreadlockedinode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfsiget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfsrundefraginode fs/btrfs/defrag.c:237 [inline] btrfsrundefraginodes+0x520/0xdc4 fs/btrf ---truncated---