{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T07:14:01.475","vulnerabilities":[{"cve":{"id":"CVE-2026-23018","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-31T12:16:05.100","lastModified":"2026-03-25T18:02:15.263","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n [6.1433] ======================================================\n [6.1574] WARNING: possible circular locking dependency detected\n [6.1583] 6.18.0+ #4 Tainted: G U\n [6.1591] ------------------------------------------------------\n [6.1599] kswapd0/117 is trying to acquire lock:\n [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1625]\n but task is already holding lock:\n [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n [6.1646]\n which lock already depends on the new lock.\n\n [6.1657]\n the existing dependency chain (in reverse order) is:\n [6.1667]\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n [6.1677] fs_reclaim_acquire+0x9d/0xd0\n [6.1685] __kmalloc_cache_noprof+0x59/0x750\n [6.1694] btrfs_init_file_extent_tree+0x90/0x100\n [6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n [6.1710] btrfs_iget+0xbb/0xf0\n [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n [6.1724] btrfs_lookup+0x12/0x30\n [6.1731] lookup_open.isra.0+0x1aa/0x6a0\n [6.1739] path_openat+0x5f7/0xc60\n [6.1746] do_filp_open+0xd6/0x180\n [6.1753] do_sys_openat2+0x8b/0xe0\n [6.1760] __x64_sys_openat+0x54/0xa0\n [6.1768] do_syscall_64+0x97/0x3e0\n [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1784]\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n [6.1794] lock_release+0x127/0x2a0\n [6.1801] up_read+0x1b/0x30\n [6.1808] btrfs_search_slot+0x8e0/0xff0\n [6.1817] btrfs_lookup_inode+0x52/0xd0\n [6.1825] __btrfs_update_delayed_inode+0x73/0x520\n [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n [6.1842] btrfs_log_inode+0x608/0x1aa0\n [6.1849] btrfs_log_inode_parent+0x249/0xf80\n [6.1857] btrfs_log_dentry_safe+0x3e/0x60\n [6.1865] btrfs_sync_file+0x431/0x690\n [6.1872] do_fsync+0x39/0x80\n [6.1879] __x64_sys_fsync+0x13/0x20\n [6.1887] do_syscall_64+0x97/0x3e0\n [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1903]\n -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n [6.1913] __lock_acquire+0x15e9/0x2820\n [6.1920] lock_acquire+0xc9/0x2d0\n [6.1927] __mutex_lock+0xcc/0x10a0\n [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1944] btrfs_evict_inode+0x20b/0x4b0\n [6.1952] evict+0x15a/0x2f0\n [6.1958] prune_icache_sb+0x91/0xd0\n [6.1966] super_cache_scan+0x150/0x1d0\n [6.1974] do_shrink_slab+0x155/0x6f0\n [6.1981] shrink_slab+0x48e/0x890\n [6.1988] shrink_one+0x11a/0x1f0\n [6.1995] shrink_node+0xbfd/0x1320\n [6.1002] balance_pgdat+0x67f/0xc60\n [6.1321] kswapd+0x1dc/0x3e0\n [6.1643] kthread+0xff/0x240\n [6.1965] ret_from_fork+0x223/0x280\n [6.1287] ret_from_fork_asm+0x1a/0x30\n [6.1616]\n other info that might help us debug this:\n\n [6.1561] Chain exists of:\n &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim\n\n [6.1503] Possible unsafe locking scenario:\n\n [6.1110] CPU0 CPU1\n [6.1411] ---- ----\n [6.1707] lock(fs_reclaim);\n [6.1998] lock(btrfs-tree-00);\n [6.1291] lock(fs_reclaim);\n [6.1581] lock(&del\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: btrfs: liberar ruta antes de inicializar el árbol de extensiones en btrfs_read_locked_inode() En btrfs_read_locked_inode() estamos llamando a btrfs_init_file_extent_tree() mientras mantenemos una ruta con una hoja bloqueada para lectura de un árbol de subvolumen, y btrfs_init_file_extent_tree() puede realizar una asignación GFP_KERNEL, lo que puede activar la recuperación. Esto puede crear una dependencia de bloqueo circular sobre la cual lockdep advierte con el siguiente splat: [6.1433] [6.1574] WARNING: posible dependencia de bloqueo circular detectada [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] [6.1599] kswapd0/117 está intentando adquirir el bloqueo: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, en: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] pero la tarea ya está manteniendo el bloqueo: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, en: balance_pgdat+0x195/0xc60 [6.1646] cuyo bloqueo ya depende del nuevo bloqueo. [6.1657] la cadena de dependencia existente (en orden inverso) es: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] otra información que podría ayudarnos a depurar esto: [6.1561] La cadena existe de: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Posible escenario de bloqueo inseguro: [6.1110] CPU0 CPU1 [6.1411] [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.9","versionEndExcluding":"6.17","matchCriteriaId":"98F094CD-A7F6-4BEA-8870-C45B63E05825"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.1","versionEndExcluding":"6.18.6","matchCriteriaId":"8F0BAC72-4991-44BB-A7D4-90D634550955"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*","matchCriteriaId":"7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*","matchCriteriaId":"EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}