In the Linux kernel, the following vulnerability has been resolved:
jbd2: fix deadlock in jbd2journalcancel_revoke()
Commit f76d4c28a46a ("fs/jbd2: use sleeping version of __findgetblock()") changed jbd2_journalcancelrevoke() to use _findgetblocknonatomic() which holds the folio lock instead of iprivatelock. This breaks the lock ordering (folio -> buffer) and causes an ABBA deadlock when the filesystem blocksize < pagesize:
T1 T2
ext4mkdir() ext4initnewdir() ext4append() ext4getblk() lockbuffer() <- A syncblockdev() blkdevwritepages() writebackiter() writebackgetfolio() foliolock() <- B ext4journalgetcreateaccess() jbd2journalcancelrevoke() __findgetblocknonatomic() foliolock() <- B blockwritefullfolio() lockbuffer() <- A
This can occasionally cause generic/013 to hang.
Fix by only calling _findgetblocknonatomic() when the passed bufferhead doesn't belong to the bdev, which is the only case that we need to look up its bdev alias. Otherwise, the lookup is redundant since the found bufferhead is equal to the one we passed in.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46061.json",
"cna_assigner": "Linux"
}