HIGH
ocfs2 Orphan Directory Deadlock
CVE-2026-31598
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dio_end_io_write ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and ocfs2_file_ip_alloc_sem_key. Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock B Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock A Deadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode) Since ip_alloc_sem is to protect allocation changes, which is unrelated with operations in ocfs2_del_inode_from_orphan. So move ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.
02KernelScan AI Analysis
Risk summary
This vulnerability can cause system deadlocks when using OCFS2 filesystems. An attacker with local file system access could potentially trigger concurrent operations that result in kernel deadlock, leading to denial of service. The impact is limited to systems using OCFS2 filesystems and requires local access to trigger the race condition.
Vulnerability analysis
Root Cause: ABBA deadlock between two lock acquisition orders in OCFS2 filesystem. The ocfs2_unlink() function acquires orphan_dir_inode lock first then ip_alloc_sem, while ocfs2_dio_end_io_write() acquires ip_alloc_sem first then orphan_dir_inode lock. This creates a classic deadlock scenario when both code paths execute concurrently.
Attack Surface: Local attack surface requiring file system operations. An attacker would need to trigger concurrent unlink operations and direct I/O writes on OCFS2 filesystems to cause the deadlock condition.
Fix Mechanism: The patch moves the ocfs2_del_inode_from_orphan() call outside the ip_alloc_sem critical section in ocfs2_dio_end_io_write(). Since ip_alloc_sem protects allocation changes and is unrelated to orphan directory operations, this reordering eliminates the lock ordering violation without affecting correctness.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 297d8d7bb6a2 |
| 5.15 | 5.15.209 | 32630dee18c6 |
| 6.1 | 6.1.175 | 93f35419eb84 |
| 6.12 | 6.12.83 | 2b884d52273c |
| 6.18 | 6.18.24 | bc0fb5c7d54c |
| 6.19 | 6.19.14 | f9fb1a7b6358 |
| 6.6 | 6.6.136 | 4b80b5a838a3 |
| 7.0 | 7.0.1 | e049f7a9bd80 |
| mainline | 7.1-rc1 | b02da26a992d |