CVE-2026-23214

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: reject new transactions if the fs is fully read-only<br /> <br /> [BUG]<br /> There is a bug report where a heavily fuzzed fs is mounted with all<br /> rescue mount options, which leads to the following warnings during<br /> unmount:<br /> <br /> BTRFS: Transaction aborted (error -22)<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted<br /> 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]<br /> RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611<br /> Call Trace:<br /> <br /> btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705<br /> btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157<br /> btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517<br /> btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708<br /> btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130<br /> btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499<br /> btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628<br /> evict+0x5f4/0xae0 fs/inode.c:837<br /> __dentry_kill+0x209/0x660 fs/dcache.c:670<br /> finish_dput+0xc9/0x480 fs/dcache.c:879<br /> shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661<br /> generic_shutdown_super+0x67/0x2c0 fs/super.c:621<br /> kill_anon_super+0x3b/0x70 fs/super.c:1289<br /> btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127<br /> deactivate_locked_super+0xbc/0x130 fs/super.c:474<br /> cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318<br /> task_work_run+0x1d4/0x260 kernel/task_work.c:233<br /> exit_task_work include/linux/task_work.h:40 [inline]<br /> do_exit+0x694/0x22f0 kernel/exit.c:971<br /> do_group_exit+0x21c/0x2d0 kernel/exit.c:1112<br /> __do_sys_exit_group kernel/exit.c:1123 [inline]<br /> __se_sys_exit_group kernel/exit.c:1121 [inline]<br /> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121<br /> x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x44f639<br /> Code: Unable to access opcode bytes at 0x44f60f.<br /> RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7<br /> RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639<br /> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001<br /> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0<br /> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001<br /> <br /> <br /> Since rescue mount options will mark the full fs read-only, there should<br /> be no new transaction triggered.<br /> <br /> But during unmount we will evict all inodes, which can trigger a new<br /> transaction, and triggers warnings on a heavily corrupted fs.<br /> <br /> [CAUSE]<br /> Btrfs allows new transaction even on a read-only fs, this is to allow<br /> log replay happen even on read-only mounts, just like what ext4/xfs do.<br /> <br /> However with rescue mount options, the fs is fully read-only and cannot<br /> be remounted read-write, thus in that case we should also reject any new<br /> transactions.<br /> <br /> [FIX]<br /> If we find the fs has rescue mount options, we should treat the fs as<br /> error, so that no new transaction can be started.