{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-26658",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n    $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n    sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n  destination: file\n  logAppend: true\n  path: /mnt/data/mongod.log\n\nstorage:\n  dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G            E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n               but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n               which lock already depends on the new lock.\n\n[ 3437.456553]\n               the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n               -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507]        down_read+0x3e/0x170\n[ 3437.457772]        bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206]        __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498]        do_syscall_64+0x42/0xf0\n[ 3437.458779]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n               -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615]        down_read+0x3e/0x170\n[ 3437.459878]        bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276]        bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686]        notify_change+0x1f1/0x4a0\n[ 3437.461283]        do_truncate+0x7f/0xd0\n[ 3437.461555]        path_openat+0xa57/0xce0\n[ 3437.461836]        do_filp_open+0xb4/0x160\n[ 3437.462116]        do_sys_openat2+0x91/0xc0\n[ 3437.462402]        __x64_sys_openat+0x53/0xa0\n[ 3437.462701]        do_syscall_64+0x42/0xf0\n[ 3437.462982]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n               -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843]        down_write+0x3b/0xc0\n[ 3437.464223]        bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493]        vfs_write+0x21b/0x4c0\n[ 3437.464653]        ksys_write+0x69/0xf0\n[ 3437.464839]        do_syscall_64+0x42/0xf0\n[ 3437.465009]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n               -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471]        __lock_acquire+0x1455/0x21b0\n[ 3437.465656]        lock_acquire+0xc6/0x2b0\n[ 3437.465822]        mnt_want_write+0x46/0x1a0\n[ 3437.465996]        filename_create+0x62/0x190\n[ 3437.466175]        user_path_create+0x2d/0x50\n[ 3437.466352]        bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617]        __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791]        do_syscall_64+0x42/0xf0\n[ 3437.466957]        entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n               other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n               other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n                 sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979]  Possible unsafe locking scenario:\n\n[ 3437.468223]        CPU0                    CPU1\n[ 3437.468405]        ----                    ----\n[ 3437.468585]   rlock(&type->s_umount_key#48);\n[ 3437.468758]                                lock(&c->snapshot_create_lock);\n[ 3437.469030]                                lock(&type->s_umount_key#48);\n[ 3437.469291]   rlock(sb_writers#10);\n[ 3437.469434]\n                *** DEADLOCK ***\n\n[ 3437.469\n---truncated---"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "1da177e4c3f4",
                                            "version_value": "5b41d3fd04c6"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "6.7.5",
                                                        "lessThanOrEqual": "6.7.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.8",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df"
            },
            {
                "url": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec"
            }
        ]
    },
    "generator": {
        "engine": "bippy-a5840b7849dd"
    }
}