CVE-2026-43299

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()<br /> <br /> [BUG]<br /> There is a bug report that when btrfs hits ENOSPC error in a critical<br /> path, btrfs flips RO (this part is expected, although the ENOSPC bug<br /> still needs to be addressed).<br /> <br /> The problem is after the RO flip, if there is a read repair pending, we<br /> can hit the ASSERT() inside btrfs_repair_io_failure() like the following:<br /> <br /> BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1<br /> ------------[ cut here ]------------<br /> BTRFS: Transaction aborted (error -28)<br /> WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844<br /> Modules linked in: kvm_intel kvm irqbypass<br /> [...]<br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS info (device vdc state EA): 2 enospc errors during balance<br /> BTRFS info (device vdc state EA): balance: ended with status: -30<br /> BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6<br /> BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0<br /> [...]<br /> assertion failed: !(fs_info-&gt;sb-&gt;s_flags &amp; SB_RDONLY) :: 0, in fs/btrfs/bio.c:938<br /> ------------[ cut here ]------------<br /> assertion failed: !(fs_info-&gt;sb-&gt;s_flags &amp; SB_RDONLY) :: 0, in fs/btrfs/bio.c:938<br /> kernel BUG at fs/btrfs/bio.c:938!<br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full)<br /> Tainted: [W]=WARN, [N]=TEST<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> Workqueue: btrfs-endio simple_end_io_work<br /> RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120<br /> RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246<br /> RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff<br /> RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988<br /> R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310<br /> R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000<br /> FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> ------------[ cut here ]------------<br /> <br /> [CAUSE]<br /> The cause of -ENOSPC error during the test case btrfs/124 is still<br /> unknown, although it&amp;#39;s known that we still have cases where metadata can<br /> be over-committed but can not be fulfilled correctly, thus if we hit<br /> such ENOSPC error inside a critical path, we have no choice but abort<br /> the current transaction.<br /> <br /> This will mark the fs read-only.<br /> <br /> The problem is inside the btrfs_repair_io_failure() path that we require<br /> the fs not to be mount read-only. This is normally fine, but if we are<br /> doing a read-repair meanwhile the fs flips RO due to a critical error,<br /> we can enter btrfs_repair_io_failure() with super block set to<br /> read-only, thus triggering the above crash.<br /> <br /> [FIX]<br /> Just replace the ASSERT() with a proper return if the fs is already<br /> read-only.