HarborGuard / CVE
Back to search
HIGHCVE-2026-31598Published Modified CNA Linux

CVE-2026-31598: ocfs2: fix possible deadlock between unlink and dio_end_io_write

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dio_end_io_write ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and ocfs2_file_ip_alloc_sem_key. Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock B Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock A Deadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode) Since ip_alloc_sem is to protect allocation changes, which is unrelated with operations in ocfs2_del_inode_from_orphan. So move ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

02b884d52273c60c298bd570163e8053657bbaff64b80b5a838a32437f2cae0662578bac216a2c51a6.6.1366.12.836.18.246.19.147.0.17.1-rc1b02da26a992db0c0e2559acbda0fc48d4a2fd337bc0fb5c7d54c78be43a536df0e20dee32adb27d3e049f7a9bd80b7319590789ea5e1c523d6339d91f9fb1a7b635849322e1d7b7b6b26389778ec8e82
Affected packages
  • Linux / Linux
    < 4b80b5a838a32437f2cae0662578bac216a2c51a (from a86a72a4a4e0ec109a98e2737948864ed6794bf7) · < 2b884d52273c60c298bd570163e8053657bbaff6 (from a86a72a4a4e0ec109a98e2737948864ed6794bf7) · < bc0fb5c7d54c78be43a536df0e20dee32adb27d3 (from a86a72a4a4e0ec109a98e2737948864ed6794bf7) · < f9fb1a7b635849322e1d7b7b6b26389778ec8e82 (from a86a72a4a4e0ec109a98e2737948864ed6794bf7) · < e049f7a9bd80b7319590789ea5e1c523d6339d91 (from a86a72a4a4e0ec109a98e2737948864ed6794bf7) · < b02da26a992db0c0e2559acbda0fc48d4a2fd337 (from a86a72a4a4e0ec109a98e2737948864ed6794bf7)
  • Linux / Linux
    4.6
    Fixed in 0, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References