PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46061 Linux CVE debrief

A deadlock vulnerability exists in the Linux kernel's JBD2 (journaling block device 2) subsystem, specifically within the jbd2_journal_cancel_revoke() function. The issue stems from a lock ordering violation introduced by commit f76d4c28a46a, which changed the function to use __find_get_block_nonatomic(). This function acquires the folio lock instead of i_private_lock, breaking the established lock ordering of folio -> buffer. When the filesystem blocksize is smaller than the page size, this creates an ABBA deadlock scenario between two threads: one holding a buffer lock while attempting to acquire a folio lock, and another holding a folio lock while attempting to acquire a buffer lock. The vulnerability manifests as system hangs, with the generic/013 test case occasionally failing. The fix restricts the use of __find_get_block_nonatomic() to cases where the passed buffer_head does not belong to the block device, eliminating redundant lookups when the buffer_head already matches the target.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux kernel maintainers, system administrators running ext4 or other JBD2-based filesystems, cloud infrastructure operators, and organizations with high-availability requirements where kernel deadlocks could cause service disruption

Technical summary

The vulnerability is a classic ABBA deadlock in kernel locking primitives. The jbd2_journal_cancel_revoke() function, used during journal transaction processing, was modified to use __find_get_block_nonatomic() which acquires the folio lock. This violates the expected lock ordering when combined with existing buffer_head locking patterns. The deadlock occurs specifically when: (1) Thread 1 holds buffer_head lock (A) via ext4_getblk() and attempts to acquire folio lock (B) via __find_get_block_nonatomic(); (2) Thread 2 holds folio lock (B) via writeback_get_folio() and attempts to acquire buffer_head lock (A) via block_write_full_folio(). The fix optimizes the code path by avoiding the block lookup when the buffer_head already belongs to the target block device, preserving correctness while eliminating the problematic lock acquisition.

Defensive priority

high

Recommended defensive actions

  • Apply the relevant stable kernel patch commits to affected systems
  • Prioritize patching systems using ext4 or other JBD2-based filesystems with blocksize smaller than page size
  • Monitor for system hangs during filesystem operations, particularly directory creation and block device synchronization
  • Review kernel logs for deadlock indicators in jbd2_journal_cancel_revoke() call paths
  • Validate fix deployment using the generic/013 filesystem test case where feasible

Evidence notes

The vulnerability description provides a detailed commit-level analysis identifying the specific problematic change (commit f76d4c28a46a) and includes a thread interaction diagram demonstrating the ABBA deadlock condition. Multiple stable kernel fix commits are referenced, indicating backports to affected versions. The issue is reproducible through the generic/013 filesystem test case.

Official resources

2026-05-27