In the Linux kernel before 5.14, an improper lock operation in btrfs allows users to crash the kernel or deadlock the system. The btrfs is returning to userspace when the lock is still held. In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new extent buffer @buf is locked, but if later operations like adding delayed tree ref fail, the kernel just free @buf without unlocking it, resulting in the deadlock. References: https://lkml.org/lkml/2021/10/18/885 https://lkml.org/lkml/2021/9/13/2565
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4149