Description
In the Linux kernel, the following vulnerability has been resolved:

jbd2: fix deadlock in jbd2_journal_cancel_revoke()

Commit f76d4c28a46a ("fs/jbd2: use sleeping version of
__find_get_block()") changed jbd2_journal_cancel_revoke() to use
__find_get_block_nonatomic() which holds the folio lock instead of
i_private_lock. This breaks the lock ordering (folio -> buffer) and
causes an ABBA deadlock when the filesystem blocksize < pagesize:

T1 T2
ext4_mkdir()
ext4_init_new_dir()
ext4_append()
ext4_getblk()
lock_buffer() <- A
sync_blockdev()
blkdev_writepages()
writeback_iter()
writeback_get_folio()
folio_lock() <- B
ext4_journal_get_create_access()
jbd2_journal_cancel_revoke()
__find_get_block_nonatomic()
folio_lock() <- B
block_write_full_folio()
lock_buffer() <- A

This can occasionally cause generic/013 to hang.

Fix by only calling __find_get_block_nonatomic() when the passed
buffer_head doesn't belong to the bdev, which is the only case that we
need to look up its bdev alias. Otherwise, the lookup is redundant since
the found buffer_head is equal to the one we passed in.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a deadlock in the Linux kernel’s ext4 journaling path, specifically in the function jbd2_journal_cancel_revoke(), and represents CWE‑833 (Abnormal Lock Ordering). The lock ordering conflict between folio and buffer locks triggers an ABBA deadlock when the filesystem blocksize is smaller than the page size, which can cause system hangs or a generic kernel panic. The resulting denial of service allows a misbehaving user to force the entire system to become unresponsive or require a reboot.

Affected Systems

All Linux kernel builds that include ext4 and use the jbd2 journaling code are affected. The issue existed in kernels before commit f76d4c28a46a, which replaced the unsafe lock handling with a safer implementation. Distributions shipping kernels that do not include this commit are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available and it is not listed in the CISA KEV catalog. The deadlock is triggered by an internal execution path that requires local access to perform certain filesystem operations involving jbd2_journal_cancel_revoke(), such as creating or modifying directories. Exploitation would likely lead to a local denial‑of‑service rather than remote code execution.

Generated by OpenCVE AI on May 28, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit f76d4c28a46a, which replaces the offending code in jbd2_journal_cancel_revoke() with a safer function that avoids the lock‑ordering conflict.
  • If an immediate kernel upgrade is not possible, consider disabling or reducing journaling on the affected ext4 filesystems, such as mounting with the "data=writeback" mode or converting to a non‑journaled filesystem, to eliminate the path that triggers the deadlock.
  • Enable kernel debugging tools such as lockdep or kprobes on systems where the issue persists, to detect and log lock‑ordering violations and confirm that the patch has resolved the problem.

Generated by OpenCVE AI on May 28, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: jbd2: fix deadlock in jbd2_journal_cancel_revoke() Commit f76d4c28a46a ("fs/jbd2: use sleeping version of __find_get_block()") changed jbd2_journal_cancel_revoke() to use __find_get_block_nonatomic() which holds the folio lock instead of i_private_lock. This breaks the lock ordering (folio -> buffer) and causes an ABBA deadlock when the filesystem blocksize < pagesize: T1 T2 ext4_mkdir() ext4_init_new_dir() ext4_append() ext4_getblk() lock_buffer() <- A sync_blockdev() blkdev_writepages() writeback_iter() writeback_get_folio() folio_lock() <- B ext4_journal_get_create_access() jbd2_journal_cancel_revoke() __find_get_block_nonatomic() folio_lock() <- B block_write_full_folio() lock_buffer() <- A This can occasionally cause generic/013 to hang. Fix by only calling __find_get_block_nonatomic() when the passed buffer_head doesn't belong to the bdev, which is the only case that we need to look up its bdev alias. Otherwise, the lookup is redundant since the found buffer_head is equal to the one we passed in.
Title jbd2: fix deadlock in jbd2_journal_cancel_revoke()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:22.041Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:25.883

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46061

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46061 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:45:05Z

Weaknesses